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, ■ Abstract 

We present an iterative algorithm for enforcing policies represented in a first-order logic, 
' which can, in particular, express all transmission-related clauses in the HIPAA Privacy Rule. 

The logic has three features that raise challenges for enforcement — uninterpreted predicates 
' (used to model subjective concepts in privacy policies), real-time temporal properties, and quan- 

tification over infinite domains (such as the set of messages containing personal information). 
The algorithm operates over audit logs that are inherently incomplete and evolve over time. 
^ , In each iteration, the algorithm provably checks as much of the policy as possible over the 

current log and outputs a residual policy that can only be checked when the log is extended 
with additional information. We prove correctness and termination properties of the algorithm. 
While these results are developed in a general form, accounting for many different sources of 
incompleteness in audit logs, we also prove that for the special case of logs that maintain a 
fSJ ' complete record of all relevant actions, the algorithm effectively enforces all safety and co-safety 

, properties. The algorithm can significantly help automate enforcement of policies derived from 

On| ■ the HIPAA Privacy Rule. 

(N 
O 

1 Introduction 

Organizations, such as hospitals, banks, and universities, that collect, use, and share personal in- 
^ ■ formation have to ensure that they do so in a manner that respects the privacy of the information 

^ . subjects. In fact, designing effective processes to audit transmission and access logs to ensure 

compliance with privacy regulations, such as the Health Insurance Portability and Accountability 
Act (HIPAA) [32], has become one of the greatest challenges facing organizations today (see, for 
example, a recent survey from Deloitte and the Ponemon Institute [15]). State-of-the-art commer- 
cial tools such as the Fair Warning [I] allow auditors to mine access and transmission logs and flag 
potential violations of policy, but do not help decide which flagged items are actual violations, even 
though privacy legislation often lays down objective criteria to make such decisions. We address 
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this challenge by developing a novel, logic-based method for computer-assisted enforcement of poli- 
cies. This method can be used to enforce a rich class of privacy and security policies that include, 
in particular, real privacy regulations like HIPAA. 

Policy Specification The first challenge for policy enforcement is formal specification of real 
policies. This challenge was addressed in our prior work on PrivacyLFP [16], an expressive first- 
order temporal logic, in which we represented formally all transmission-related clauses of the HIPAA 
and GLBA Privacy Laws. PrivacyLFP is more expressive than prior logics considered for expressing 
policies, including propositional temporal logics [8, 18] and first-order metric temporal logic [10]. 

Building on the prior work on specification of privacy laws in PrivacyLFP, this paper presents 
an algorithm for enforcing policies represented in the logic, through iterative analysis of audit logs, 
which we assume are collected independently and provided to us. The policy enforcement algorithm 
and the formulation and proof of its properties are the main contribution of this paper. 

Three concepts in privacy legislation (and PrivacyLFP) make mechanical enforcement partic- 
ularly difficult; we discuss these concepts briefly. First, PrivacyLFP includes uninterpreted or 
subjective predicates to model subjective parts of privacy laws. For example, HIPAA allows trans- 
mission of protected health information about an individual from a hospital to a law enforcement 
agency if the hospital believes that the death of the individual was suspicious. Such beliefs are 
represented using uninterpreted predicates because the truth value of these predicates cannot, in 
general, be determined mechanically. 

Second, PrivacyLFP allows first-order quantification over infinite domains (e.g., the set of mes- 
sages or the set of time points). For example, many HIPAA clauses are of the form 
Vpi,P25 ^^•(send(pi,p25 "i) ^ 4>) where pi and p2 are principals and m is a message. Note that 
this formula quantifies over the infinite set of messages, so if an enforcement algorithm were to 
blindly instantiate the quantifiers with all possible values in the domain, then it will not terminate. 
However, only a finite number of messages are relevant in determining the truth value of this for- 
mula. This is because the number of messages transmitted from a hospital is finite and hence the 
predicate seiid{pi,p2,m) is true for only a finite number of substitutions for the variable m (and 
similarly for pi and p2)- To ensure that the number of relevant substitutions for every quantified 
variable is finite, we use the idea of mode checking from logic programming [4], and restrict the syn- 
tax of quantifiers in PrivacyLFP slightly. The finite substitution property for quantified variables 
over infinite domains is defined in Section 4, and ensures termination of our policy enforcement 
algorithm. The restriction on quantification does not significantly limit representation of HIPAA 
clauses, a claim we justify in Section 6. 

Third, the representation of one transmission-related clause - Section 6802(c) - of the GLBA 
Privacy Law forces PrivacyLFP to include fixpoint operators. In this paper, we do not consider 
fixpoints because the representation of most privacy legislation including all of HIPAA does not 
require fixpoints. We note that including the least fixpoint operator in our algorithm may not be 
difficult, but supporting the greatest fixpoint may require a substantial effort. 

Audit logs Another significant challenge in mechanical enforcement of privacy policies is that the 
logs maintained by organizations may be incomplete, i.e., they may not contain enough information 
to decide whether or not the policy has been violated. For instance, in the absence of human input, 
a machine may not be able to decide whether any instance of a predicate that refers to subjective 
beliefs is true or not. Similarly, we may not be able to predict whether a predicate holds in the 
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future or not. As an important contribution, we observe that such possibly incomplete logs can be 
abstractly represented as three-valued, partial structures that map each atomic formula to either 
true, false, or unknown [13, 19]. We define the semantics of our logic over such structures. Further, 
by designing our enforcement algorithm to work with partial structures in general, we provide a 
uniform account of policy enforcement with different forms of log incompleteness. 

We explicitly discuss in Section 5.2 a special case of partial structures that are complete up to 
a point of time. This instance corresponds to the standard model of traces used in prior work on 
enforcement of temporal privacy properties [10]. We show that on such structures, our algorithm 
yields a method to find violations of safety properties [2] and satisfactions of co-safety properties [11] 
at the earliest possible time, as may be expected. 

A second important observation is that, in practice, structures evolve over time by gathering 
more information. We formalize this growth as a natural order, Ci > Li (structure L\ extends 
structure £2)) meaning that L\ has more information than £2- We present a general definition of 
extension of partial structures, which encompasses, in particular, notions of temporal (actions are 
added to the end of a trace) and spatial (distributed logs are merged) extensions. 

Policy Enforcement As our central contribution, we propose an iterative process for privacy 
policy enforcement. At each iteration, our algorithm takes as inputs a structure L abstracting the 
then-current audit log and a policy specification c/p, verifies parts of the policy that depend solely 
on the given structure, and outputs a residual policy 99' that contains all the conditions that need 
to be verified when more information becomes available. We write reduce(>C, 99) = ip' to denote one 
iteration of our reduction algorithm. The residual policy 93' is checked on extensions of C 

Our reduction algorithm has several desirable properties that we prove formally. First, the algo- 
rithm always terminates. As noted earlier, the finite substitution property for variables quantified 
over infinite domains is crucial for termination. Second, it is correct: given a structure L and a 
policy 93, any extension of £ satisfies the policy 99 if and only if it satisfies the residual formula 
i^p' . Third, it is minimal: the residual formula only contains atoms whose truth value cannot be 
determined from the structure. 

Our algorithm has been designed for after-the-fact (a-posteriori) audit, not runtime verification. 
However, as shown in Section 5.2, for the specific case of policies that do not contain any subjective 
predicates or future obligations, the algorithm may be executed at each privacy-relevant event to 
act as a runtime monitor, if all relevant past system logs can be provided to it. 

Application to HIPAA Our technical results have important implications for enforcing prac- 
tical privacy policies, in particular, the HIPAA Privacy Rule. As discussed in Section 6, not only 
can our algorithm be used to automatically instantiate all quantifiers in all 84 transmission-related 
clauses of HIPAA, but it can also automatically discharge the large percentage of non-subjective 
atoms in instantiated clauses. For example, we estimate that in 17 of the 84 clauses, all atoms can 
be discharged automatically, and in 24 other clauses, at least 80% of the atoms can be discharged 
automatically. 

Summary of Contributions In summary, the contributions of this paper are: 

• An iterative algorithm for enforcing policies represented in PrivacyLFP, a rich logic with 
quantification over infinite domains, and formulation and proofs of the algorithm's properties 
(Section 4) 
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Figure 1: Timed First-order Temporal Logic with Restricted Quantifiers 



• Use of mode analysis from logic programming to ensure that infinite quantifiers result only 
in a finite number of relevant substitutions (Section 4) 

• A formal model of incomplete audit logs as three-valued structures (Section 3) 

Organization In Section 2, we review PrivacyLFP to the extent needed for this paper. Section 3 
presents partial structures and defines the semantics of PrivacyLFP over them. Section 4 presents 
our policy enforcement algorithm and its properties. Section 5 discusses the behavior of our algo- 
rithm on structures that are complete and those that are complete up to a point of time. In the 
latter case, we also present associated results about enforcement of safety and co-safety properties. 
Section 6 describes how the work in this paper applies to the HIPAA Privacy Rule. Section 7 
provides a detailed comparison with related work and Section 8 presents conclusions and directions 
for future work. 

2 Policy Logic 

We use PrivacyLFP [16] to represent policies, but restrict the syntax of first-order quantifiers slightly 
to facilitate enforcement and drop fixpoint operators. PrivacyLFP consists of an outer policy logic 
with connectives of temporal logic and an inner, equally expressive sublogic without connectives 
of temporal logic to which the outer syntax is translated. Our enforcement algorithm works only 
with the inner sublogic. In this section we review both the outer syntax and the sublogic, as well 
as the translation. 

2.1 Syntax of the Policy Logic 

The syntax of our policy logic is shown in Figure 1. We distinguish two classes of predicate symbols: 
1) objective predicates, denoted po, that can be decided automatically using information from logs 
or using constraint solvers and 2) subjective predicates, denoted ps, that require human input to 
resolve. Both classes of predicates are illustrated in examples later. An atom is a predicate applied 
to a list of terms (terms are denoted t). Based on the class of its predicate, an atom is also classified 
as either objective or subjective, written Pq and Ps, respectively. 
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Prepositional connectives T (true), ± (false), A (conjunction), V (disjunction), and (negation) 
have their usual meanings. Anticipating the requirements of the enforcement algorithm of Section 4, 
first-order quantifiers Vx.(c D a) and 3x.{c A a) in the logic are forced to include a formula c called 
a restriction. By definition, Vx.(c D a) is true iff all instances of x that satisfy c, also satisfy 
a. (3x.(c A a) has a similar definition.) To make enforcement tractable, we require that the set 
of instances of x satisfying c be computable. This is ensured by limiting c to a reduced class of 
formulas that, in particular, excludes subjective predicates (see the syntax of c in Figure 1), and 
through a static analysis that we describe in Section 4. 

Further, our logic includes standard connectives of linear temporal logic (LTL) [23] that provide 
quantification over the sequence of states in a system, relative to a current state: a S /3 (/3 holds 
at some state in the past and a holds since then), alj P {(3 holds at some state in the future and 
a holds until then), (a holds at all states in the past) and □« (a holds at all states in the 
future). Other temporal operators can be defined, e.g., <3>a = TSa (q holds at some state in the 
past) and = T\J a {a holds at some state in the future). 

Finally, to represent clock time, which often occurs in privacy policies, we assume that each 
state of a system has a time point associated with it. Time points, denoted r, are elements of 
T = {a;€R|a;>0}U {oo}. They measure clock time elapsed from a fixed reference point and 
order states linearly. Relations between time points are captured in logical formulas using the freeze 
quantifier ],x.a of timed propositional temporal logic (TPTL) [3], which means "a holds with the 
current time bound to x." (Examples below illustrate the quantifier.) Since we have no occasion 
to reason explicitly about states, we identify a state with the time point associated with it, and 
use the letter r and any of the terms "state" , "time point" , "time" , and "point" to refer to both 
states and time points. We make the assumption that on any trace there are only finitely many 
time points between two given finite time points. 

We illustrate the syntax of our logic through two examples that are based on the formalization 
of HIPAA in PrivacyLFP. These examples are also used later in the paper. 

Example 2.1. As a first example, we represent in our logic the following policy about disclosure 
(transmission) of health information from one entity (e.g., a hospital or doctor) to another. 

An entity may send an individual's protected health information (phi) to another entity 
only if the receiving entity is the patient's doctor and the purpose of the transmission 
is treatment, or the individual has previously consented to the transmission. 

Our formalization assumes that each transmitted message m is tagged by the sender (in a 
machine-readable format) with the names of individuals whose information it carries as well the 
attributes of information it carries (attributes include "address" , "social security number" , "medi- 
cations", "medical history", etc.). The predicate tagged(m, (7, t) means that message m is tagged 
as carrying individual g's attribute t. Tagging may or may not refiect accurately the content of the 
message. Similarly, we assume that each message m is labeled in a machine readable format with a 
purpose u (e.g., "treatment", "healthcare", etc.). This is represented by the predicate purp(m, u). 
Because we assume that name and attribute tags as well as purpose labels are machine readable, 
both tagged and purp are objective predicates - their truth or falsity can be checked using a 
program. 

Attributes are assumed to have a hierarchy, e.g., the attribute "medications" is contained 
in "medical history". This is formalized as the predicate attr_in(medications, medical-history). 
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We assume that the hierarchy can be mechanically checked, so attr_in is an objective predi- 
cate. The predicate purp_in(?x, ti') means that purpose n is a special case of purpose u' , e.g., 
purp_in(surgery, treatment). In contrast to attributes, we assume that the purpose hierarchy can- 
not be computed, so purp_in is a subjective predicate. In an enforcement system, it must be 
checked through human input. 

Finally, each action or fact that can be recorded in a system log (such as sending a message 
or that Alice is in role doctor) is represented as an objective predicate. For this example we need 
three objective predicates: seiid{pi,p2,m) meaning that entity pi sends message m to entity p2, 
consents(g, a) which means that individual q consents to the action a, and inrole(p, r) which 
means that principal p is in role r. Here, the only action consented to is sendaction(pi,p2) (Qit)), 
which corresponds to pi sending to p2 a message containing information about g's attribute t. 

The above policy can be formalized in our logic as follows. 

\/pi,P2,m,u,q,t. {send{pi,p2,m) Apurp(m, u) A 

tagged(m, g, t) A attr_in(t, p/ii)) 
D (inrole(p2, doc(g)) A purpAn^u, treatment)) 
V <3>consents(q, sendaction(pi,p2) {Qj t))) 

In words, if entity pi sends to entity p2 a message m, m is tagged as carrying attribute t 
of individual q, where t is a form of phi (protected health information), and m is labeled with 
purpose u, then either p2 (the recipient) is a doctor of q (atom inrole(p25 doc(g))) and u is a 
type of treatment, or q has consented to this transmission in the past (last line of apoii). The 
temporal operator <3> is used to indicate that the consent may have been given by q in some earlier 
state. Also, the universal quantifier in the formula above carries a restriction {send{pi,p2,m) A 
purp(m,ii) A tagged(m, t) A a.ttr_±n(t, phi)), as required by our syntax. The technical reason 
for including restrictions is explained in Section 4. 

Example 2.2. Our next example is a policy governing entity response to an individual's request 
for her own information. 

If an individual requests her information from an entity, then some administrator in the 
records department of the entity must respond to the individual at the earliest feasible 
time, but not later than 30 days after the request. 

To represent this policy we need one more objective predicate, req{p,t), which means that 
individual p requests information about attribute t from her record. Further, we need two new sub- 
jective predicates: contains(m, g, i) (message ni contains attribute t of individual q) and itr{p,t) 
(it is feasible to respond to individual p with attribute t at the current time). The latter clearly 
requires human input to resolve, because "feasibility" cannot be defined mechanically, while the for- 
mer requires human input because we assume that message payloads may contain natural language 
text. 

The logical specification of this policy is shown below: 

o:poi2 = 

iT.\/p,t. req(p, t) 
D -ftr(p,t) 
U It'. in(r', r, r + 30) 
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A 3q,m. (inrole((7, records) A seiid{q,p,m) A 
contains(m, p, t)) 

The top-most quantifier J,t binds r to the time at which a request occurs and, similarly, J,t' 
binds t' to the time at which a response is sent. in(r', r, r + 30), formally explained in Section 2.2, 
implies that r' < r + 30, thus enforcing the constraint that the response be sent within 30 days of 
the request, as required by the policy. The until operator U is used to include the obligation that 
it be infeasible to respond until the response is actually sent. 

2.2 Translation to a Smaller Syntax 

Policies expressed in PrivacyLFP's outer syntax can be translated into a smaller sublogic without 
temporal connectives and negation. This smaller syntax of formulas if, ip of the sublogic is shown 
below. Other syntactic categories such as restrictions c are not changed. 

Formulas ::= Pq | -Ps | T | _L j 931 A j '/'i V 922 | 
Vx.(c D if) I 3x.{c A if) 

We surmount the absence of negation in the sublogic by defining for each formula a dual Ip 
that behaves exactly as ^ip would. For defining duals of atoms, we assume that each predicate p 
has a dual p such that . . . ,tn) is true iff p{ti, . . . ,tn) is false (the relation between p and p is 
formalized in Section 3). We define Tp by induction on (p, as in the representative clauses below (for 
the remaining clauses see Appendix A). 

Poi h, ■■■ ,tn) = pdih,- ■^,tn) 

ip A ijj = Tp y ip 

Vx.(c D 99) = 3x.{cATp) 
3x.{c A ip) = yx.^cDTp) 

Temporal connectives are translated to the sublogic by making time points (states) and the 
ordering relation between them explicit in first-order formulas in a standard way (see [16]). Briefly, 
we assume that for every predicate symbol in the logic there is a predicate of the same name 
in the sublogic, but with one extra argument of type time: p{ti, . . . ,tn,T) in the sublogic means 
that p{ti, . . . ,tn) holds at time r in the logic. Further, assume that the new objective predicate 
in(r, ri,r2) means that r is an observed time point (in the trace of interpretation) satisfying 
Ti < T < T2- Finally, let denote the result of substituting the terms t for variables x in the 

syntactic entity H. Then, representative clauses of the translation {^Y of restrictions and formulas 
of the logic to those of the sublogic, indexed by a "current time" r, are shown below (the full 
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translation is shown in Appendix A): 



{poih, ■ ■ ■ ,tn)y 

{ps{ti,...,tn)r 

(Vf.(c D a)y 
{-Ix.aY 
(a SPY 



Poih, ...,tn,T) 

Ps{ti ,---,tn,r) 

{ay 

Vx.((c)^ D (ay) 
Hr/x]r 
3T'.(in(T',0,T) A 
A (Vr".((iii(T",T',T) Ar^r") 



D {ay"))) 



{a\J/3y 



3T'.(in(T',T,(X)) A i^y' 
A (Vr".((iii(T",T,r') At"/t') 



D (a)-"))) 



We briefly explain some of the clauses of the translation. In {],x.ay , x binds to the current 
time, which is r; therefore, r substitutes x in q in the translation, q S /? means that (3 is true 
at some time point in the past, which is captured by the existentially quantified variable r' in 
the translation, and the restriction that in(T',0,r). Further, a should be true at all time points 
between r' and now (r); this is encoded as VT".((in(r", r', r) A t" ^ t') D {ay ). 

Example 2.3. In Section 2.1 we presented two sample policies, Opo/i and apo/2- In general, we 
may wish to enforce each of these policies in each state. To express the phrase "in each state", 
we define an abbreviation: Go = Vr.(in(T, 0, oo) D (a)^), which means that a holds at each time 
point T. Then, using the translation above and simplifying slightly, we get: 



'^T,pi,p2,m,u,q,t. 

(in(T, 0, cxo) A send(pi,j?2 5 r) Apurp(m,w,r) A 
tagged(?n, g, t, r) A attr_in(f, phi,T)) 
D ((inrole(p2, doc(g), r) A 

purp_in{u, treatment, t)) V 
(3r'. (in(r',0,T) A 

consents(g, sendactioii(pi,p25 (q, t)),T')))) 

Goipol2 = 

Vt,p, i. (in(r, 0,00) Areq(p, i,r)) 
D 3t', q, m. 

((iii(r', T, r + 30) A inrole(g, records, r') A 
send(g,p, m, r')) A coiitaiiis(m,p, t, r') A 
Vr". (in(T",r,T') At'Vt') 
D ft7(p,t,r")) 

Note that all atoms, except those like in(. . .) and r" 7^ r' that are introduced by the translation 
itself, have a new last argument, which is a time point. For certain predicates like tagged, attr_in 
and purp_in, whose truth is independent of time, this last argument is redundant. For instance, if 
attr_in(t, t', r) for some r, then attr_in(t, t', r') for all r'. 
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3 Partial Structures and Semantics 



Next, we define partial structures, an abstraction of audit logs over wliich our enforcement algorithm 
(Section 4) works. We call our structures partial because they do not necessarily stipulate the truth 
or falsity of every atom, thus accurately reflecting the fact that audit logs may be incomplete in 
practice. We also illustrate, by virtue of example, various kinds of audit log incompleteness that 
our partial structures generalize. Finally, we define the semantics (meanings) of formulas of the 
sublogic on partial structures. This definition is used in Section 4 to state the correctness of our 
enforcement mechanism. Partial structures have been used, both explicitly and implicitly, in prior 
work on policy enforcement; we compare to such work in Section 7. 

Fix a domain of individuals D. A partial structure (abbrev. structure) C over D consists of a 
total function pc from ground (variable-free) atoms of the logic to the three-value set {tt,ff,uu}. 
We say that the atom P is true, false, or unknown in the structure C if pc{P) is tt, ff , or uu, 
respectively. In practice, the structure C may be defined using system logs (hence the notation C), 
whence for every subjective atom P5, pc{Ps) would be uu. 

The semantics of our sublogic lift the definition of truth to formulas 99 by induction on 93: we 
write £ ^ 93 to mean that "93 is true in the structure >C" . Restrictions c are a subsyntax of formulas 
99, so we do not define the relation separately for them. 

- P\Spc{P) = tt 

- C^T 

- C\=(pAipiEC\=ip and C \= ip 

- C\=yx.{cD if) iff for aU t£B either £ \= c[t/x] or C \= ip[t/x\ 

- C \= 3x.{c A (f) iff there exists D such that £ \= c[t/x] and C \= (plt/x] 

For dual atoms, we define pc{P) = Pc{P)^ where tt = f f , f f = tt, and uu = uu. We say that 
a formula ip is false on the structure £ if £ |= ^. The following two properties hold: 

1. Consistency: A formula (p cannot be simultaneously true and false in the structure £, i.e., 
either £ ^ (/9 or £ ^ ^ 

2. Incompleteness: A formula p may be neither true nor false in a structure £, i.e., p and 
Cy=p may both hold. 

The first property follows by induction on p. The second property follows from a simple example. 
Consider a structure £ and an atom P such that pc{P) = uu. Then, Cy= P and Cy= P. 

Incompleteness in Practice We list below several ways in which system logs may be incomplete, 
and describe how each can be modeled in partial structures by varying the definition of pc- 

• Subjective incompleteness: An audit log may not contain information about subjective predi- 
cates. This may be modeled by requiring that pc{Ps) = for every subjective atom P5. We 
revisit subjective incompleteness in the context of our enforcement algorithm in Section 5.1. 
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• Future incompleteness: An audit log may not contain information about the future, which 
is necessary to enforce pohcies hke that in Example 2.2. This may be modeled by assuming 
that for each time r greater than the last point observed in £, and for all p, ti,...,tn, 
Pcipitii ■ ■ ■ ,tn,T)) = mi. (Recall that in our translation of the outer logic, the last argument 
T is the time at which the predicate's truth is tested.) We revisit future incompleteness in 
the context of our enforcement algorithm in Section 5.2. 

• Spatial incompleteness: An audit log may not record all predicates. For instance, with 
reference to Example 2.1, it is conceivable that the predicates send and inrole are stored 
on separate sites. If we audit at the first site, information about inrole may be unavailable. 
Such incompleteness is easily modeled like subjective incompleteness. For instance, we may 
assume that /3£(inrole(p, r, r)) = uu for all p, r, r. 

• Past incompleteness: An audit log may not record the existence of certain relevant states, 
even those in the past. This has implications for enforcing temporal operators, e.g., we may 
be unable to check that simply because we cannot determine what states existed in the 
past. This form of incompleteness can be formally modeled by assuming that if a time point 
T does not occur in an audit log C, then p£(in(r, r', r")) = uu. In the special case where it 
is certain that the time point r does not exist, we would have p£(in(T, r', r")) = ff. 

Our enforcement algorithm (Section 4) works with partial structures in general and, hence, 
takes into account all these forms of incompleteness. We comment on some specific instances in 
Section 5. 

Structure Extension In practice, system logs evolve over time by gathering more information. 
This leads to a natural order, Ci > C2 on structures (£1 extends C2), meaning that Ci has more 
information than £2- Formally, Ci > £2 for all ground atoms P, pc2{P) G implies 
pCi{P) = pc2{P)- Thus, as structures extend, the valuation of an atom may change from uu to 
either tt or ff , but cannot change once it is either tt or ff . The following property follows by 
induction on ip: 

• Monotonicity: Ci > £2 and C2 \= ^ imply £1 |= tp. 

Replacing ip with Tp, we also obtain that £1 > £2 and £2 |= imply £1 \= Tp. Hence, if £1 > £2 
then £1 preserves both the £2-truth and £2-falsity of every formula p. 

In the next section, we use this order between structures to both explain and prove formal 
properties of our enforcement algorithm. 

4 Policy Enforcement 

Our main technical contribution is an iterative process for enforcing policies written in the sublogic. 
Through the translation of Section 2.2, the same process applies to policies written in the entire 
policy logic. At each iteration, our algorithm takes as input a policy p and the available audit 
log abstracted as a partial structure £, and outputs a residual policy ^p that contains exactly the 
parts of ip that could not be verified due to lack of information in £. Such an iteration is written 
reduce(£, = 'i/'- In practice, ip may contain subjective predicates and future obligations. Once 
more information becomes available, extending £ to £' (£' > £), another iteration of the algorithm 
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can be used with inputs and C to obtain a new formula This process can be continued till a 
formula trivially equivalent to T or _L is obtained, or the truth or falsity of the remaining formula 
is decided by human intervention. By design, our algorithm satisfies three important properties: 

• Termination: Each iteration terminates. 

• Correctness: If reduce(£, ip) = ■0, then for all extensions C of C, C \= ip iff £' \= tp. 

• Minimality: If reduce{C,(p) = ip, then an atom occurs in il) only if it occurs in ip and its 
valuation on C is uu. 

The technically difficult part of the algorithm is its treatment of quantifiers \/x.ip and Bx.y? in 
the input. Indeed, for propositional logic (logic without quantifiers), an algorithm satisfying the 
three properties above can be constructed trivially: define reduce(i2, ip) to be the formula obtained 
by replacing each atom P in ip with T if pc{P) = tt, with _L if pc{P) = ff , and with P itself if 
pc{P) = uu. This algorithm terminates because formulas are finite, its correctness can be proved 
by a simple induction on ip, and minimality is obvious from the definition of reduce. 

However, as the reader may already anticipate, this simple idea does not extend to quantifiers. 
Consider, for instance, the behavior of the algorithm on inputs Mx.ip and C. Because the output must 
be minimal, in order to reduce Vx.ip, the algorithm must instantiate x with each possible element 
of the domain D and check the truth or falsity of (p for that instance on C. This immediately leads 
to non-termination because in models of realistic privacy policies the domain D must be infinite, 
e.g., permissible time points and transmitted messages (which may contain free-text in natural 
language) are both infinite sets. 

Given the need for an infinite domain, something intrinsic in (p must limit the number of relevant 
instances of x that need to be checked to a finite number. This is precisely what our restricted form 
of universal quantification, \/x.{c D ip), accomplishes. Through syntactic restrictions of Figure 1 
and other static checks described later, we ensure that there are only a finite number of instances 
of X for which c is true on the given structure C Further, all such instances can be mechanically 
computed from C. Although fulfilling these requirements is non-trivial, given that they hold, the 
rest of the algorithm is natural and syntax-directed. 

Briefly, our enforcement regime contains the following components: 

• An efficiently checkable relation \- ip on policies, called a mode analysis (borrowing the term 
from logic programming [4]), which ensures that the relevant instances of each quantified 
variable in ip are finite and computable. 

• A function sat(£,c) that computes all satisfying instances of the restriction c. 

• The function reduce(£, (/?) that codifies a single iteration of enforcement. The definition of 
reduce(£, (/?) relies on sat(/3,c) and assumes that h ip. 

In the following, we explain each of these three components, starting with the main algorithm 
reduce (Section 4.1). After proving its correctness and minimality (Section 4.2), we proceed to 
define sat and the relation h ip (Section 4.3). 
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4.1 Iterative Enforcement Algorithm 

The core of our enforcement regime is a computable function reduce(£, = ip, that discharges 
obhgations from the prevalent policy if using information from the extant structure C to obtain a 
residual policy 'i/'- Given an initial policy (po and a sequence of structures Ci < C2 < ■ ■ ■ < C-n, the 
reduction algorithm can be applied repeatedly to obtain tpi, . . . ,ipn such that reduce(i2j, fi-i) = (pi- 

We write this process in symbols as ^po — > 'P>i ■ ■ ■ 'Pn- Correctness (Theorem 4.2) guarantees 
that Lpn is equivalent to (po in all extensions of Cn, while minimality (Theorem 4.3) certifies that 
ipn contains only those atoms of (po that could not be discharged using the information in 
(by definition, Cn subsumes the information in Ci,. . . ,Cn-i)- We note that our correctness and 
minimality results are independent of the frequency or scheme used for application of reduce. 

The definition of reduce{C,ip) has two dependencies, whose formal definitions are postponed 
to Section 4.3. First, the function assumes that its input ip is well-moded, formally written h (p. 
Well-modedness is a static check, linear in the size of (/?, which ensures that the satisfying instances 
of each restriction c in each quantifier in ip are finite and computable. Second, reduce(£, ip) assumes 
a function sat(£,c) that computes all satisfying instances of restriction c in structure C The 
output of sat(/3, c) is a finite set of substitutions {cti, . . . , an}, where each substitution cjj is a finite 
map from free variables of c to ground terms. sat(£,c) satisfies the following condition: C \= ccr 
iff cj € sat(£, c). 

The function reduce(£, (/?) is defined by induction on ip in Figure 2. For atoms P, reduce(£,P) 
equals T, ±, or P, according to whether pc{P) equals tt, f f , or uu. In particular, in the absence 
of human input pc{Ps) = for a subjective atom Ps and hence, in the absence of human input, 
reduce(£, Ps) = Ps- The clauses for the connectives T, _L, A, and V are straightforward. To evaluate 
reduce(>C, Vx.(c D (p)), we first determine the set of instances of x that satisfy c by calling sat(£, c). 
For each such instance ti, . . . , t„, we reduce ip[ti/x] to tpi through a recursive call to reduce. Because 
all instances of ip must hold in order for Vx.(c D ip) to be true, the output is -01 A . . . A V'n A V'', 
where the last conjunct ■0' records the fact that instances of x other than ti, . . . have not been 
considered. The latter is necessary because there may be instances of x satisfying c in extensions of 
C, but not C itself. Precisely, we define S = {ti, . . . , t„} and tp' = \/x.{{c A x ^ S) D ip). The new 
conjunct x ^ S prevents the instances ti, . . . ,tn from being checked again in subsequent iterations. 
Formally, x ^ S is an objective predicate that encodes the negation of usual finite-set membership. 
The treatment of 3x.{c A ip) is dual; in that case, the output contains disjunctions because the 
truth of any one instance of (p suffices for the formula to hold. 

Example 4.1. We illustrate iterative enforcement on the policy ipo = Gapoi2 that we obtained 
via translation in Example 2.3. The policy requires that the recipient of a request for information 
respond within 30 days with the information. We advise the reader to revisit the example for the 
definition of ipQ. For the purpose of explanation, let us define (p{T,p,t) by pattern matching to be 
the formula satisfying 999 = yT,p,t. (in(r, 0,oo) A req(p, t,r)) D ip{T,p,t). Informally, p){T,p,t) is 
the obligation that must be satisfied if principal p requests information about attribute t from her 
record at time r. 

Suppose that we first run reduce(£, 990) in a structure C which has the states 1,3,7, only one 
request — Alice's request for her medical record (attribute mr) at time 3, and no other infor- 
mation. Intuitively, this information implies that sat(£, in(r, 0, 00) A req{p,t,T)) = {{T,p,t) 
(3, Alice, mr)}. (We check formally in Example 4.6 that this is actually the case.) Hence, by the defi- 
nition of reduce, we know that reduce(£, (po) = A p'q, where ipi = reduce(£, (p[{3, Alice, mr) /{t,p, t)]) 
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T \ipc{P) = tt 
recluce(/:,P) = { _L ifp£(P) = ff 

P ifp£(P)=UU 

reduce(£,T) = T 

reduce(£, _L) = _L 

reduce(£, A 992) = reduce(>C, 931) A reduce(>C, (^2) 

reduce(/3, 991 V (^2) = reduce(>C, <^i) V reduce(£, (/?2) 

reduce(£, Vx.(c D = let 

{fji, . . . ,a„} ^ sat(/:,c) 

S ^ {ti, . . . , tn} 

{i^i ^ reduce(/:,<y9[ii/f])}f^^ 
V'' ^ Vx.((c A X ^ S") D 
return 

V'l A . . . A Vn A V'' 

reduce(£, 3x.(c A (^)) = let 

{(Ji, . . . ,a„} ^ sat(/:,c) 
{U ^ cT^{m=i 

S ^ {ti, . . . , tn} 

{V'j ^ reduce(/:,v7[tl/f])}^=i 
V'' ^ 3x.((c A f ^ 5) A 
return 

V'l V . . . V V V' 

Figure 2: Definition of reduce(/3, 99) 



and = Vr,p, t. (in(r, 0, cxd) A req(p, t,T) A {T,p,t) {(3, Alice, mr)}) D ip{T,p,t). The reader 
may check that because the trace has no other information, ^pi = 93[(3, Alice, mr)/(T,p, t)], so the 
output of the reduction is Vi A (pQ. Expansion of the formula tpi shows that it is precisely the 
obligation that the recipient respond to Alice with her medical record in 30 days. Call this entire 

output If I. 

Consider a second round of audit on the reduced policy (fi and an extended trace C which has 
the additional state 11 in which Bob, in role "records", responds with a message M to Alice. Since 
ipi = ipi A ifQ, we have reduce(£', (/^i) = reduce(£', V'l) A reduce{C' , ip'q) . The reader may check 
that reduce(£', (/Jq) = because the top-level restriction in (^q has no satisfying instance in C. 
Thus, we consider here the reduction of ■01- Note that tpi has the form 3r',g, m. ((in(r', 3, 33) A 
inrole(g, records, r') A send(q', Alice, m, r')) A if' {t' ,q,m)). To calculate its reduction, we first ob- 
serve that from the information in C' , it should follow that sat(£', in(r', 3, 33) A inrole((7, records, r') A 
send(g, Alice, m, r')) = {(r', g, m) 1— > (11, Bob, M)}. (Again, we check formally in Example 4.6 that 
this is the case.) Consequently, reduce(£', Vi) = ^'i V ip'i, where ^/^'^^ = reduce(£', (/?'(11, Bob, M)) 
and Lp'i = 3T',q,m. ((in(T', 3, 33) A inrole(q, records, r') A send(g, Alice, m, r') A {T',q,m) ^ 
{(11, Bob, M)}) A ip'{t' ,q,m)). We calculate tp'^ below. The second disjunct ip[ simply means that 
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the policy is satisfied if at some point other than 11 (but before 33), someone in role "records" 
sends Alice's mr to her. 

What is ip'i = i'educe(>C', (/^'(ll, Bob, M))? Expanding (f', we have (/^'(ll. Bob, M) = 
contains(M, Alice, mr, 11) A iZ-s: where ■02 = Vr". (iii(r", 3, 11) A t" / 11) D ftr (Alice, mr, r"). 
Because contains is a subjective predicate, p£/(contains(M, Alice, mr, 11)) = uu so, by definition, 
reduce(£', contains(Af, Alice, mr, 11)) = contains(M, Alice, mr, 11). Hence, if reduce(i2', V2) — 
ip2-, then ip'i = contains(M, Alice, mr, 11) A "02 ■ 

To compute 0^', we note that sat(£', in(r", 3, 11) A r" / 11) = {t" ^ 3,r" ^ 7}. It 
follows that reduce(>C', = V'2 — f ^^(Alice, mr, 3) A ftr(Alice, mr, 7) A 02'i where = 
Vr". (in(r",3, 11) A t" / 11 A r" ^ {3,7}) D ft?( Alice, mr, r"). Informally, ip'^ means that 
it should have been infeasible to respond to Alice at times 3 and 7 (which are the only two observed 
time points on C' before the response at time 11), and also at any other time points between 3 and 
11 that may show up in extensions of C 

Putting back the various formulae, we have reduce(£', (/9i) = {ip'i V ip'i) A (/Jq, where ip'i = 
contains(M, Alice, mr, 11) A tp2 means that the message M sent to Alice at time 11 contain her 
mr and that it be infeasible to respond earlier {1P2), fi allows for the possibility to satisfy Alice's 
request through another response before time 33, and i^q enforces the top-level policy on any other 
requests. This is exactly what we might expect from an informal analysis. Further, note that the 
reduction exposes the ground subjective atoms contains(Af, Alice, mr, 11), ftr(Alice, mr, 3) and 
f tr(Alice, mr, 7) for a human auditor to inspect and discharge. 

4.2 Correctness and Minimality of Enforcement 

The function reduce is correct in the sense that its input and output formulas contain the same 
obligations. Formally, if reduce(£, (p) = ip, then in all extensions of C, (p is true iff ip is true and 
is false iff tp is false. 

Theorem 4.2 (Correctness of reduce). If reduce{C,(p) = ij) and C > C, then (1) C \= Lp iff C \= ip 

and (2) C! iff C 

Proof. See Appendix B, Theorem B.5. □ 

The proof of this theorem relies on correctness of sat, which we prove in the next subsection 
(Theorem 4.5). Correctness of iterative enforcement is an immediate corollary of Theorem 4.2. We 

can prove by induction on n that if (/?o — > ■ ■ ■ — ^ ^n, then for all extensions C > Cn, C \= ipn 
iff C \= ipo and C \= Tp:^ iff C' \= Tp^. 

Next, we wish to prove that if reduce(£, ip) = ip then ip is minimal with respect to (p and C, i.e., 
an atom occurs in ip only if it occurs in ip and its interpretation in C is unknown. Unfortunately, 
owing to quantification, there is no standard definition of the set of atoms of a formula of first-order 
logic. In the following, we provide one natural definition of the atoms of a formula and characterize 
minimality with respect to it; other similar characterizations are possible. If h tp, we define the set 



14 



of atoms of a formula 99 with respect to a structure L as follows. 



atoms(£,P5) = {Ps) 

atoms(/:,Po) = {Po\ 

atoms(£,T) = {} 

atoms(£,_L) = {} 

atoms(£, A 992) = at oms (£, U atoms (£, (/92) 

atoms(£, V 992) = atoms(£, 991) U atoms(£, 992) 

atoms(£, Vx.(c D 99)) = U<xGiS(£,c) atoms(/:, 970-) 

atoms(£,3x.(c A 99)) = Uaeiit(£,c) atoms(/:, 990-) 

The following theorem characterizes minimality of reduce with respect to the above definition 
of atoms in a formula. 

Theorem 4.3 (Minimality). Suppose h 99 and reduce(£, 99) = ip. Then atoms(£, ip) C atoms(£, 99)n 
{P I pc{P)=nn}. 

Proof. See Appendix B, Theorem B.12. □ 

Example 4.4. Revisiting Example 4.1, we check that the output produced by the second reduction 
satisfies Theorem 4.3. Recall that the second reduction is reduce(>C', = {ip'i V 99'^) A 99Q. 99'j^ 
and 99q each have top-level quantifiers whose guards have no satisfying instances in C, so, by 
definition of atoms, (p^ and (^q have no atoms w.r.t. C Thus we turn to Vi- It is easy to 
check that atoms(i2', -0^) is the three element set {contains(M, Alice, mr, 11), ftr(Alice, mr, 3), 
ftr (Alice, mr, 7)}. Further, from the analysis of Example 4.1, each of these three atoms also exist 
in atoms(£', 991). Finally, each of the three atoms is subjective, so each has a valuation uu in C. 



4.3 Quantifier Instantiation and Mode Analysis 

Having described our main enforcement function reduce, we turn to the mode analysis relation 
h 99 and the function sat on which the definition of reduce relies. The rest of this paper can be 
understood without understanding this section, so the disinclined reader may choose to skip it. 



Input and Output The objective of our mode analysis, as mentioned earlier, is to ensure that the 
set of satisfying instances of quantified variables x in a restriction c be both finite and computable. 
Our method of mode analysis is inspired by, and based on a similar technique in logic programming 
(see, e.g. [4]). The key observation in mode analysis is that, for many predicates, the set of all 
satisfying instances on any given structure can be computed finitely if arguments in certain positions 
are ground. The reason why instances can be computed may vary from predicate to predicate; we 
illustrate some such computations from prior examples. 

1. Given a ground m, the set of q,t such that tagged(m, g, r) holds is finite and can be 
computed from m itself, as we assumed in Example 2.1. (Note that the last argument r is 
an artifact of our translation and is irrelevant here.) 

2. For an action predicate like sei].d{pi,p2, 171,7), we can compute all instances of pi, p2, m, r 
for which send{pi,p2,m,T) holds simply by querying the given system log. 
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3. Given ground T2,T3, we can compute all ti such that in(Ti, T2, T3) by looking at the states in 
the given system log and selecting the subset that lie in the interval [T2,r3]. 

4. Given ground r and r, we can compute all principals p such that inrole(p, r, r) by looking 
at the roles' database. 

Note that in each of the cases 1-4, we require that certain argument positions be ground (e.g., 
m in 1 and r2,r3 in 3), and compute others (e.g., g, i in 1 and ri in 3). We call these the input 
and output argument positions, respectively. Formally, we represent input and output positions 
by two partial functions I and O (input and output) from predicates to 2^, which we assume are 
given to us. The functions are partial because satisfying instances of certain predicates, including 
all subjective predicates, are not computable. Following the earlier example, we could choose: 

1. /(tagged) = {1}, O(tagged) = {2,3} 

2. /(send) = {}, O(send) = {1,2,3,4} 

3. /(in) = {2,3}, 0(in) = {l} 

4. /(inrole) = {2,3}, O(inrole) = {1} 

For a subjective predicate ps, I{ps) and 0{ps) are undefined. The sets I{p) and 0{p) are 
called a moding of predicate p. If i S I{p) [i G 0(p)), we say that the ith argument of p is in input 
(output) mode. Certain arguments may be in neither input nor output mode, e.g., argument 4 of 
the predicate tagged. Also, the same predicate may be moded in multiple ways. For example, both 
the assignments (/(send) = {}, O(send) = {1,2,3,4}) and (/(send) = {1}, O(send) = {2,3,4}) 
are correct. However, it suffices to assume that each predicate has a unique moding, because we 
can use different names for predicates with the same interpretation but different modings. 

Substitution Computation A substitution cr is a finite map from variables to ground terms. 
Say that a substitution a' extends a substitution o", written a' > a, if dom{a') ^ dom{a) and for all 
X € dom((T), cr{x) = a'{x). We abstract the computation of terms in output positions from terms in 
input positions as a partial computable function sat. The input of the function is a pair containing 
a structure and an atom; its output is a finite set of substitutions. The function sat satisfies the 
following condition: 

Given a structure C and an atom p{ti, . . . ,tn) such that for all i € I{p), ti is ground, 
sa.t{C,p{ti, . . . ,tn)) is the set of all substitutions for variables in Ui60(p) ^« that have 
extensions a such that C \= p{ti, . . . , tn)a. 

For example, if in structure C, principal Charlie has doctors Alice and Bob at time r, then 
sat(£, inrole(p, doc(Charlie), r)) would be the two element set {p 1— )■ Alice, p 1— > Bob}. If the 
input arguments in atom P are not ground, then sat(£,P) may be undefined. For example, if 
either T2 or T3 is not ground, then sat(>C, in(ri, T2, r3)) is undefined. Because subjective predicates 
are not computable, sa.t{C,Ps) is also undefined for every subjective atom Ps- In practice, the 
function sat(>C, P) could be implemented through queries to the database that stores the audit log. 

We lift the function sat to the function sat that computes satisfying instances of restrictions. 
The specification of the lifted function sa.t{C, c) is similar to that of sat: Given a partially ground 
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restriction c, sat(£, c) is a finite set of substitutions characterizing all satisfying instances of c. 



For atoms, the definition of sat coincides with that of sat. Since T must always be true, 
sat(/3,T) contains only the empty substitution (denoted •). Since _L can never be satisfied, 
sat(£,_L) is empty. For ci A C2, the set of satisfying instances is obtained by taking those of 
ci (denoted a above), and conjoining those with satisfying instances of C20" (the operation + is 
composition of substitutions with disjoint domains). The set of satisfying instances of ci V C2 is the 
union of the satisfying instances of ci and C2. Satisfying instances of 3x.c are obtained by taking 
those of c, and removing the substitutions for x. 

sat is a partial function because the underlying function sat is partial. For instance, taking 
an example from Section 2, sat(i2, send(pi,p2j ■t") A tagged(m', g, t, r')) is undefined if m! is a 
variable because any substitution a in the output of the recursive call sat(£, send(pi,p2; w-; 7")) 
will not contain m' in its domain and, therefore, in the call to sat(/3, tagged(?7T,', g, t, r')(T), the 
first argument to tagged will be non-ground. Since /(tagged) = {1}, this recursive call may fail 
to return an answer. On the other hand, sat(£, send(pi,p2 5 "i, r) A tagged(m, g, t, r')) is defined 
because the first argument of tagged in the second recursive call is ?n, which is grounded by the 
substitution a of the first recursive call. Despite being partial, sat(/3,c) represents all satisfying 
instances of c, whenever it is defined, as formalized by the following theorem. 

Theorem 4.5 (Correctness of sat). // sat(>C,c) is defined then for any substitution a' with 
doin(c7') 5 fv(c), C \= ca' iff there is a substitution a S sat(£, c) such that a' > a. 

Proof. See Appendix B, Theorem B.3. □ 

Example 4.6. In Example 4.1, we informally evaluated sat at several places. Here, we justify 
the first two evaluations. In the first instance, we said that sat(/3, in(r, 0, 00) A req(p, t, r)) = 
{{T,p,t) (3, Alice, mr)}. This follows from the observation that from the information in the 
structure C, we must have sat(£, in(r, 0, 00)) = {r i->- l,r 1— )• 3, r 1— )• 7}, sat(£, req(p, t, 3)) = 
{{p,t) I—)- (Alice, mr)} and sat(£, req(p, t, r)) = {} for r ^ 3. The result of applying sat follows 
from its definition. 

Similarly, we calculated that sat(>C', in(T', 3, 33) A inrole((7, records, r') A send(g', Alice, m, r')) 
= {(r', q, m) i-)- (11, Bob, M)}. This follows because, from the description of sat(>C', in(r', 3, 33)) 
= {t' I— 7> 3,t' I— )• 7, r' i-T- 11}, sat(>C', inrole(g, records, T)) = {q^ Bob} for T = 11 and {} other- 
wise, and sat(>C', send((7,p, m, r')) = {(g,p, m, r') i-^- (Bob, Alice, Af, 11)}. 

Mode Analysis Next, we define a static check of restrictions to rule out those on which sat 
is not defined, e.g., seiidi{pi,p2,m,T) A tagged(m', g, t, r') described earlier. This static check is 
what we call the mode analysis. A restriction that passes the check is called well-moded. Formally, 
we define well-modedness as a relation x/ l~ c : XO) where xi ^^^id xo are sets of variables. If the 



sat(£,po(ii, • • ■■.tn)) 
5iS(£,T) 
5iS(/:,_L) 
sat(>C, ci A C2) 
sat(£, ci V C2) 
sat(£, 3x.c) 



sa.t{C,po{ti, . . .,tn)) 
{•} 

{} _ 
UxGiitCAci) sat(/:, C2a) 
sat(£, ci) U sat(>C, C2) 
sa.t{C,c)\{x} (x fresh) 
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j60(po) 



XI ^ Poih,- ■ ■ ,tn) ■■ XO Xi^^-Xi Xi^-^-Xi 

Xl^ ci:x X^ C2.XO Xl^ ci: xi Xl ^ C2 : X2 Xl ^ c : xo 

X/ K ci A C2 : XO X/ ^ ci V C2 : XI n X2 Xl ^ 3x.c : Xo\{a;} 



'ik. f v(tfc) C X X ^ V^i X ^ 9^2 X^ X^ ^2 



X^ p{ti,...,tk) X^T X^-L X^'^iA(/72 X^fi^V2 

X^ c:xo xCxo f v(c) C X U X XO ^ ^ 
X h Vf.(c D 93) 

X^cixo ^ ^ XO fv(c)CxUf XO ^ '/^ 
X K 3f.(c A 99) 

(In the rules for quantifiers, bound variables x or 5; must be renamed so that they are fresh.) 

Figure 3: Moding Rules 

relation holds, then for any a with doin(c7) 2 xi ^-nd any C, sat(£, ccr) is defined and, further, any 
substitution in it contains all of Xo\xi its domain, (xi xo a-^e analogues of inputs and 
outputs for restrictions.) 

The relation x/ l~ c : xo is defined by the rules of Figure 3, which also constitute a linear-time 
decision procedure for deciding the relation (with inputs c and xi output xo)- We explain 
some of the rules. An atom p{ti, . . . ,tk) is well-moded if the free variables (abbreviated fv) of 
input positions are ground (premise V/c G I{po)- fv(ffc) C xi of the first rule) and the output xo 
equals xi (which is already ground) unioned with Ujeo(po) "^^(^i) (^^^ which must be in the 
domain of sat(£,p(ti, . . . ,tn.)))- The rule for conjunctions ci A C2 chains the outputs x of ci into 
the inputs of C2. The following theorem establishes that sat is total on well-moded restrictions and 
also establishes the relation between x/i Xo and the substitutions in the output of sat. 

Theorem 4.7 (Totality of sat). If xi ^ c : xOr then for all structures C and all substitutions 
a with dom(cr) 5 xi> sat(£, cu) is defined and, further, for each substitution a' G sat(£, ccr), 
XI U dom(cj') 5 xo- 

Proof. See Appendix B, Theorem B.6. □ 

We extend the mode-check on restrictions to formulas ip of the sublogic. The objective of this 
mode-check is two-fold. First, the check ensures that all restrictions occurring in ip are well-moded 
in the sense described above. Second, for quantifiers Vx.(c D tp') and 3x.{c A (^'), the check ensures 
that the quantified variables x are contained in the outputs (xo) of the restriction c. (Hence, by 
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Theorems 4.5 and 4.7, any substitution in sat{C, c) grounds x, which is central to the termination 
of reduce.) The mode-check is formahzed as the relation meaning that for any substitution 

cr with dom(a") 3 formula (pa is well-moded. Its straightforward rules are shown in Figure 3. 

The rules constitute a linear-time decision procedure for checking the relation (with inputs x ^iid 
ip). In the rules for Vx.(c D p') and 3x.{c A p'), the first premises check that c is well-moded. The 
second premises ensure that the variables x are contained in the output xo of the mode check on c. 
The third premises ensure that c is closed. It can easily be checked that if x l~ V'j then iv{p) C x- 
We call a formula (p well-moded if {} h ip, which we abbreviate to h p. The following theorem 
shows that on well-moded formulas, the function reduce is total. Further on a well-moded input, 
the output is also well-moded (so the output can used as input in a subsequent iteration). 

Theorem 4.8 (Totality of reduce). If\~p then there is a ip such that reduce(£, (/?) = ip and h 

Proof. See Appendix B, Theorem B.IO. □ 

Example 4.9. It can easily be checked that the formulas G Oipoii and G apoi2 defined in Example 2.3 
are all well-moded (e.g., h Gapoii) using the definitions of / and O presented at the beginning of 
this subsection. 

5 Specific Instances of Enforcement 

We analyze the behavior of our enforcement algorithm on two restricted classes of structures. First, 
we consider objectively- complete structures - those that map every objective atom to either tt or f f 
(Section 5.1). We show that for such structures C, the output of reduce{C,p>) can be simplified to 
conjunctions and disjunctions of ground subjective atoms through trivial rewriting (e.g., replacing 
T A with ■0), thus making it more amenable to human inspection. We also obtain a decision 
procedure to decide the truth and falsity of input formulas without subjective predicates. 

Second, we consider past- complete structures, those that have complete information up to a 
specific point of time (Section 5.2). This corresponds to the standard assumption in every existing 
work on enforcement of temporal properties that the audit log contains all past information. In 
particular, we show that on past-complete traces, our algorithm yields a method to find violations 
of safety properties [2] and satisfactions of co-safety properties [11] at the earliest. 

5.1 Execution on Objectively-Complete Structures 

We analyze the output of reduce(/3, 99) when C is objectively-complete. Although objective- 
completeness requires that truth and falsity of objective atoms be determined even in the future, it 
may model some realistic settings. For instance, after audit-relevant information has been gathered 
from all possible sources, it may be assumed that any fact not explicitly seen is, by default, false. 
The resulting structure would be objectively-complete. Objectively-complete structures correspond 
to the case of subjective incompleteness from Section 3. 

Definition 5.1. A structure C is called objectively-complete if for all objective atoms Pq, pc{Po) £ 
{tt,ff}. 

If a structure C is objectively-complete, then during the execution of reduce(>C, (^), all relevant 
substitutions can be found for quantifiers and all objective atoms can be replaced with either T 
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or _L. Indeed, we show in this subsection that if L is objectively-complete, then the output, ■0, of 
reduce(>C, ip) can be rewritten (using straightforward rewrite rules) to a logically equivalent formula 
that is either T or _L or contains only subjective atoms, conjunctions and disjunctions. This has 
practical importance because, as compared to a formula with quantifiers, a formula containing only 
subjective atoms, conjunctions and disjunctions is more amenable to human inspection and audit. 

There are two kinds of rewriting we need to perform on the output "0 to reduce it to our 
desired form. First, we need to eliminate unnecessary occurrences of T and _L that arise either 
from occurrences of T and _L in the input formula, or as replacements of atoms that evaluate to 
tt and ff respectively. Such occurrences can be eliminated by repeatedly applying the following 
eight rewriting rules anywhere in the output: 

V^AT^'V TA?/'-^?/' 

V'A-L^-L _LA?/'^-L 

V'VT^T TV-iA-^T 

V'V-L^V' -LV'i/'-^V' 

For example, if (/? = Pq A Ps for an objective atom Pq and a subjective atom Pg and pciPo) = 
tt, then reduce(£, 99) = T A Ps- This can be simplified to Ps using the second rule above. Note 
that each rule above preserves logical equivalence of formulas. 

Second, we need to eliminate those quantified subformulas in the output that are called in the 
definition of reduce (Figure 2). These have the forms Vx.((c f\ x ^ S) if) and 3x.((c A x ^ S) A if). 
Because S contains all instances of x that satisfy c, (c A x ^ S) has no satisfying instances in C, 
i.e., sat(£, {c A x ^ S)) = {}. Further, because £ is objectively-complete, any extension £' of C 
must agree with C on valuation of objective atoms, so, by Theorem 4.5, sa.t{C' , {c A x ^ S)) = 
{}. Consequently, Vx.((c A x ^ S) D if) is logically equivalent to T in all extensions of C and 
3a;. ((c V X ^ S) D (p) is logically equivalent to _L in all extensions of C This immediately yields 
the following two rules for elimination of quantifiers from the output of reduce. 

Vx.(c D v?) ^ T 3x.{c A 99) -> _L 

We point out that, unlike the eight rewriting rules presented earlier, the two rewriting rules above 
do not preserve logical equivalence in general, but they preserve logical equivalence when applied 
to the output ip = reduce(>C, 93) for objectively-complete C 

Let — >■* denote the reflexive-transitive closure of — Since — ?> makes formulas strictly smaller, 
it cannot be applied indefinitely to any formula. Further, even though a formula may be rewritten 
in many ways using a single application of — the formula obtained by applying exhaustively 
starting from a fixed initial formula is unique because — > is confluent. 

Theorem 5.2. Suppose C is objectively-complete, h ip and tp = reduce(>C, 93). Then ip — ?•* ^l^' , where 
(1) ijj' is either T, or ±, or contains only subjective atoms and the connectives A, V, and (2) For 
all C >C, C iffC ^ V' and C iff C ^ W- 

Proof. See Appendix C, Theorem C.4. □ 

An interesting special case arises on inputs without any subjective predicates. In this case, 
it can be proved by induction on (p that if C is objectively-complete, then either C \= ip or C \= Tp 
(either 99 is true in C or it is false). Interestingly, for such inputs. Theorem 5.2 yields a decision 
procedure for determining the truth or falsity of ip in C. The proof of this fact is straightforward. 
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By minimality of reduce (Theorem 4.3), the output ip of reduce(>C, ip) cannot contain any subjective 
atoms if f does not contain them, so neither can the formula ijj' obtained by rewriting in The- 
orem 5.2. Hence, ip' must be either T or _L. If ip' = T, then by Theorem 4.2, C \= if, and if 
ip' = _L, then by the same theorem, C \=Tp. This is a decision procedure because both reduce and 
— )■* terminate. 

5.2 Execution on Past-Complete Structures 

Next, we analyze our enforcement algorithm on structures that have complete information up to 
a specific point of time, say tq. We call such structures To-past-complete or, briefly, ro-complete. 
Past-completeness corresponds to future incompleteness from Section 3 and is practically relevant 
because in many cases, audit logs record all relevant events as they happen and the entire history 
is available to an enforcement algorithm. In fact, this is a standard assumption in all existing 
literature on either runtime or post-hoc enforcement of temporal properties. The classic result in 
this context is that, under this assumption, a runtime monitor can detect both violation of so-called 
safety properties (a given bad event never happens) and satisfaction of so-called co-safety properties 
(a given good event happens at some time either in the past or in the future) at the earliest possible 
time. In the rest of this subsection, we show that on past-complete structures similar results hold 
for our enforcement method. 

We start by formally defining past-complete structures, then adapt a standard characterization 
of safety and co-safety properties in temporal logic to our setting, and finally prove that the function 
reduce, together with rewriting — )•, yields a method to enforce both safety and co-safety properties. 
It is important to mention here that violation or satisfaction of a property cannot be defined 
formally if the property has subjective predicates. Consequently, we assume in this subsection, like 
existing literature on the subject, that policies do not contain subjective predicates. 

Definition 5.3. Given a ground time tq, a structure C is called ro-past-complete or ro-complete 
if the following two conditions hold: 

1. For all predicates p, all ground ti, . . . , t„ and all r < tq, pcipih, ■ ■ ■ ,tn, t)) € {tt, f f }. 

2. For all ground ti,T2,T3 such that ri < tq, p£(in(ri, r2, ts)) G {tt,ff}. 

The first condition means that the truth or falsity of every atom in the temporal logic can be 
determined at time r if r < tq. The second condition states that C records all relevant states up 
to time Tq. 

Safety and Co-safety Informally, a safety property states that a specified bad condition is never 
satisfied. Dually, a co-safety property states that a specified good condition is satisfied at some time 
(either in the past or in the future). Although the two kinds of properties are often characterized 
in terms of traces (semantically) [2, 11], characterizations of the two kinds of properties as classes 
of formulas in logic are more relevant for us. It is known [23] that safety properties correspond to 
formulas of the form G Op, where G is the "in every state" operator introduced in Example 2.3 
and ap is an arbitrary formula of the temporal logic not containing any future operators (□ and 
U). In words. Gap means that in every state (the bad condition) -lap does not hold. As an 
illustration, the policy G apoii in Example 2.3 is a safety property, but G c(poi2 is not because it 
contains a future operator. Dually, co-safety properties can be characterized as formulas of the form 
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Fop = 3T.(in(T, 0, oo) A (apY), informally meaning that in some state r, (the good condition) ap 
holds. ^ 

We say that a safety property G Qp is violated at time r in a structure Cif C \= {apY. In other 
words, G ap is violated at time r if at that time, the negation of ap holds in C Similarly, we say 
that a co-safety property F ap is satisfied at time r in a structure C ii C \= (op)^- 

Our first result (Theorem 5.4) is that if a safety property Gap is violated at time r in a 
structure C that is ro-complete (r < tq), then reduce(>C, Gap) — >■* _L (and conversely). This result 
is important because it implies that violations of safety properties can be detected in the next 
iteration of enforcement after they occur if audit logs contain all past information. An analogous 
result - Theorem 5.5 - holds for co-safety properties, wherein satisfaction can be detected at the 
earliest. The justification for both theorems is similar to that for Theorem 5.2, but more involved. 
Because both reduce and terminate, the theorems also provide decision procedures for enforcing 
safety and co-safety properties on past-complete structures. 

Theorem 5.4 (Enforcement of safety properties). Suppose Gap is a safety property, h Gap, C is 
TQ-complete, and for all r, (p£(in(r, 0, oo)) = tt) =^ r < tq. Then, reduce(i2, G ap) — >* _L iff there 
is a T such that C \= in(T, 0,ro) and C \= {apY . 

Proof. See Appendix C, Theorem C.12. □ 

Theorem 5.5 (Enforcement of co-safety properties). Suppose Fop is a co-safety property, h Fap, 
C is TQ-complete, and for all t, (/9£(in(r, 0, oo)) = tt) ^ r < tq. Then, reduce(>C, F Op) — T if 
and only if there is a r such that L |= in(T, 0, tq) and C \= {apY ■ 

Proof. See Appendix C, Theorem C.13. □ 

Example 5.6. We check Theorem 5.4 on the safety property G apoii from Example 2.3. The policy 
states that if a message m is sent by pi to p2 for purpose u and the message is tagged as containing 
q's data about attribute t (which is a form oi phi), then either the recipient p2 is q^'s doctor and 
the purpose u is treatment, or q has previously consented to this message transmission. 

We consider a simple structure C in which this policy is violated. C has only one time point 
7, at which principal A sends principal B a message M. The message M is labeled with purpose 
test (purp_in(tesi, treatment) holds) and tagged as containing principal C's information about 
attribute meds (medications), which is a form of phi. Further, B, the recipient, is not C's doctor. 
Suppose that we audit at a later point of time (10) and that C described above is 10-complete. 
Since there is no other information in C besides what has been mentioned, C has not consented 
explicitly to this message transmission, so the policy has been violated at time 7. We seek to verify 
that reduce(£, G ttpon) —>* -L- 

We start by computing reduce(£, G apod)- The reader is advised to revisit the definition of 
G apoii in Example 2.3. At the top-level, G apoii contains a universal quantifier with restriction c = 
(in(r, 0,oo) A send(pi,p2, "i, t) A purp(m, n, r) A tagged(m, (7, t, r) A attr_in(t, p/ii, r)). Com- 
puting sat (£, c) yields {(r,pi,p2; "i, 9, i) ^ (7, A, B, M, tesi, C, meds)}. Hence, reduce(>C, G apo^) 
= reduce(>C, ipi) A 93Q, where ipi is shown below and 93Q is almost a copy of the original policy, with 
a larger restriction. The only aspect of (/3g relevant for this example is that it contains a top-level 
universal quantifier. 

^We have not seen this characterization of co-safety properties in hterature, but it is easily derived as the dual of 
the known characterization of safety properties. 
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Lfi = (iiirole(B,doc(C), 7) A 

purp_in(test, treaimeni, 7)) V 
(3r'. (in(T',0,7) A 

consents(C, seiidactioii(A, B, (C, meds)),T'))) 

Next, we calculate \reduce{C,ipi). Since /3£(inrole(B, doc(C), 7)) = ff and 

pc(jpvirTp_iTi{test, treatment,!)) = tt, reduce(£, (^i) = (_L A T) V reduce(£, (/92), where ip2 is the 
second disjunct of (pi. Finally, we compute reduce(£, (^2)- The top-level connective of ip2 is an ex- 
istential quantifier restricted by in(T',0, 7). Since sat(£, in(r', 0, 7)) = {r' i-> 7}, reduce(£, (/92) = 
reduce(£, (/^s) V ip2, where 993 = consents(C, sendaction(A, B, (C, meds)), 7) and begins with 
an existential quantifier. Clearly, reduce(/3, (^3) = ±. Putting the pieces back together, we get 
reduce(/:, G Upoii) = ((± A T) V (± V ip'^)) A ip'^. 

Since ip^ and (p2 begin with a universal and an existential quantifier, they can be rewritten to 
T and _L respectively. So, reduce(£, G apo/i) ((-L A T) V (± V _L)) A T, which can easily be 
rewritten to _L, thus indicating a violation. If we change the example to avoid a violation, say by 
setting p£(inrole(B, doc(C), 7)) to tt instead of ff, then the result of rewriting changes from _L 
to T, indicating a lack of violation thus far. Finally, if we do not assume that C is past-complete, 
then the rewriting of ip2 to _L is unsound because there may be an extension of C in which (p'2 is true 
and, hence, the original property may not have been violated, but our procedure would conclude 
that it is. So, past-completeness is a necessary assumption in Theorem 5.4 (and also Theorem 5.5). 

6 Application to HIPAA 

We comment on application of our algorithm to transmission-relevant clauses of the HIPAA Privacy 
Rule. These clauses can be viewed as a template for actual privacy policies, which may be obtained 
by instantiating abstract roles like "covered entity" in HIPAA with actual roles like "doctor", 
"nurse", etc. In prior work on PrivacyLFP [16], we have shown that all 84 transmission-related 
clauses in HIPAA can be represented in the logic. Since we have restricted the syntax of quantifiers 
in this paper to facilitate enforcement, an immediate question is whether we can still represent all 
the clauses of HIPAA in our logic. A careful re-analysis of the prior work reveals that 81 of the 84 
clauses fall in the fragment considered in this paper. The three remaining clauses, namely Sections 
164.506(c)(4), 164.512(k)(l)(i), and 164.512(k)(l)(iv) of HIPAA, contain quantifiers with subjective 
restrictions. However, in each such case, the formula under the quantifier contains only subjective 
predicates and, therefore, the entire formula may be considered a single subjective predicate. With 
this minor change, the algorithm of Section 4 can be applied to all 84 clauses of HIPAA. 

The next question is the usefulness of the algorithm, given that HIPAA contains many subjective 
predicates (in fact, 578 out of a total of 881 atoms in our formalization of HIPAA are subjective). 
The answer to this question is two-fold. First, irrespective of the percentage of subjective atoms, 
one practical advantage of using our algorithm is that it instantiates quantifiers automatically using 
log data, which could otherwise be a daunting task for a human auditor. 

Second, our algorithm automatically discharges objective atoms from fully instantiated formu- 
las, leaving only subjective atoms for a human auditor. As discussed in the prior work, with a 
slight amount of design effort, e.g., standardizing message formats, 402 of the subjective atoms 
can be mechanized, leaving a total of 176 subjective atoms, and improving the effectiveness of 
the algorithm significantly. A reasonable method to quantify the effectiveness of the algorithm 
on instantiated formulas is to calculate the ratio of the number of objective atoms to the total 
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number of atoms for all 84 clauses. (A more accurate assessment can be made if we also know how 
frequently each clause of HIPAA gets instantiated, but this is impossible without real data.) In 
Appendix D, we list for each clause the numbers of subjective and objective atoms in it and 
#0 respectively), as well as the number of subjective atoms that can be mechanized by simple 
design effort such as standardizing message formats (#0'). The ratio (#0' + #0) / (#S + #0) 
shown in the last column is an estimate of the percentage of the clause our algorithm will reduce 
automatically, assuming that the required design effort has been made. Based on these figures, we 
count that in 17 clauses, all atoms can be reduced automatically; in 24 other clauses, at least 80% 
of the atoms can be reduced automatically; and in 29 other clauses, at least 50% of the atoms can 
be reduced automatically. On the other hand, in 6 clauses our algorithm cannot reduce any atoms 
automatically but 5 out of these 6 clauses contain exactly one subjective atom each. 

In summary, even though completely automatic enforcement of policies derived from HIPAA is 
impossible due its use of subjective predicates, our algorithm can help reduce the burden of human 
auditors significantly, both by instantiating quantifiers automatically and by discharging objective 
atoms in fully instantiated formulas. 

7 Related Work 

Policy Enforcement with Temporal Logic A lot of prior work addresses the problem of 
runtime monitoring of policies expressed in Linear Temporal Logic (LTL) [5, 7, 10, 28, 30, 31] 
and its extensions [7, 29, 30]. Although similar in the spirit of enforcing policies, the intended 
deployment of our work is different: we expect our algorithm to be used for after-the-fact audit for 
violations, rather than for online monitoring. Consequently, the issue of retaining only necessary 
portions of logs, which is central to runtime monitoring, is largely irrelevant for our work (and 
hence not considered in this paper). 

Comparing only the expressiveness of the logic, our work is more advanced than all existing 
work on policy enforcement. First, we enforce a large fragment of first-order temporal logic, whereas 
prior work is either limited to propositional logic [5, 28, 31], or, when quantifiers are considered, 
they are severely restricted [7, 29, 30]. A recent exception to such syntactic restrictions is the 
work of Basin et al. [10], to which we compare in detail below. Second, no prior work considers 
either subjective predicates, or the possibility of gaps in past information, both of which our partial 
structures and enforcement algorithm account for. 

Recent work by Basin et al. [10] considers runtime monitoring over an expressive fragment of 
Metric First-order Temporal Logic. Similar to our work. Basin et al. allow quantification over 
infinite domains, and use a form of mode analysis (called a safe-range analysis) to ensure finiteness 
during enforcement. However, Basin et al's mode analysis is weaker than ours; in particular, it 
cannot relate the same variable in the input and output positions of two different conjuncts of 
a restriction and requires that each free variable appear in at least one predicate with a finite 
model. As a consequence, some policies such as Opoii (Example 2.1), whose top-level restriction 
(send{pi,p2,m) A purp(m,ti) A . . .) contains a variable u not occurring in any predicate with a 
finite model, cannot be enforced in their framework, but can be enforced in ours. Due to their goal 
of runtime enforcement. Basin et al. use auxiliary data structures to cache relevant portions of the 
log in memory, which may form the basis of useful optimizations in an implementation of our work. 

Cederquist et al. [14] present a proof-based system for a-posteriori audit, where policy obli- 
gations are discharged by constructing formal proofs. The leaves of proofs are established from 
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logs, but the audit process only checks that an obligation has been satisfied somewhere in the past, 
thus allowing only for obligations of the form Further, there is no systematic mechanism to 

instantiate quantifiers in proofs. However, using connectives of linear logic, the mechanism admits 
policies that rely on consumable permissions. 

The idea of iteratively rewriting the policy over evolving audit logs has been considered pre- 
viously [28, 31], but only for propositional logic. Bauer et al. [5] use a different approach for 
iterative enforcement: they convert an LTL formula with limited first-order quantification to a 
Biichi automaton and check whether the automaton accepts the input log. Further, they also 
use a three- valued semantic model similar to ours, but assume past-completeness. Three- valued 
structures have also been considered in work on generalized model checking [13, 19]. However, the 
problems addressed in that line of work are different; the objective there is to check whether there 
exist extensions of a given structure in which a formula is satisfied (or falsified) . 

Policy Specification Several variants of LTL have been used to specify the properties of pro- 
grams, business processes and security and privacy policies [8, 9, 16, 18, 22]. Our representation of 
policies and our logic, PrivacyLFP, draw inspiration from LPU [8]. 

Further, several access-control models have extensions for specifying usage control and future 
obligations [12, 17, 20, 21, 25-27]. Some of these models assume a pre-defined notion of obliga- 
tions [21, 25]. For instance, Irwin et al [21] model obligations as tuples containing the subject of 
the obligation, the actions to be performed, the objects that are targets of the actions and the time 
frames of the obligations. Other models leave specifications for obligations abstract [12, 20, 27]. 
Such specific models and the ensuing policies can be encoded in our logic using quantifiers and 
temporal operators. 

There also has been much work on analyzing the properties of policies represented in formal 
models. For instance, Ni et al. study the interaction between obligation and authorization [25], 
Irwin et al. have analyzed accountability problems with obligations [21], and Dougherty et al. have 
modeled the interaction between obligations and programs [17]. These methods are orthogonal to 
our objective of policy enforcement. It may be possible to adapt ideas from these papers to analyze 
similar properties of policies expressed in PrivacyLFP also. 

Finally, privacy languages such as EPAL [6] and privacy API [24] do not include obligations or 
temporal modalities as primitives, and are less expressive than our framework. 

8 Conclusion 

We have presented an expressive and provably correct iterative method for enforcing privacy policies 
that works by reducing policies, even in the face of incomplete system logs. Our method is expressive 
enough to enforce real privacy legislation like HIPAA, yet tractable due to a carefully designed static 
analysis. Under standard assumptions about system logs, we obtain methods to mechanically 
enforce safety and co-safety properties. 

Our planned next step is to implement the proposed enforcement mechanism and to test its 
performance on real privacy legislation. A specific goal is to develop generic optimization and 
caching techniques that encompass all forms of log incompleteness, to the extent possible. Prior 
work on runtime monitoring may provide valuable insights in this regard, but a significant challenge 
is to generalize it beyond past-completeness. 
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A Details from Section 2 

The full definition of the ^ is shown below: 



pojti, ...,tn) 
. ,tn) 

T 

T 

99 A 
if y 

yx^S.jcD^ 
3x ^ S.{cA (p) 



Poih, ■■■,tn) 
Psih, ■■■,tn) 
± 

T 
Tp y ip 

Tp /\ ip 
3x S.{c A p) 
yx^S.{cDTp) 



The full translation (•)'^ from the temporal logic to the sublogic is shown below: 
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{po{h,...,tn)y = poih, - ■ ■ ,tn,T) 

{jy = T 
{±r = ± 

(ciAc2)^ = (cirA(c2r 

(ciVC2r = (C1)"V(C2)- 

{Bx.cY = 3x.{cY 

{po{tl,...,tn)Y = po{ti,...,tn,T) 
{psih, . . . ,tn)y = ps{h,...,tn,T) 

{TY = T 

{±r = ^ 

(Vf.(c D a)Y = yx.{{cY 3 (aY) 
{3x.{c A a)Y = 3x.{{cY A (a)^) 
{ix.aY = {a[T/x]Y 

{aSPY = 3r'.(in(r',0,T) A 

A(Vr".((in(T",r',T) Ar'/r") 
D (ar"))) 

(aU;Sr = 3T'.(in(T',T,oo) A (/3)"' 

A (Vr".((iii(r",r,r') At"/t') 
D iaY"))) 

(BaY = Vr'.(in(r',0,r) D (or') 

(Oaf = Vr'.(in(r',r,oo) D (a)"') 

B Proofs from Section 4 

This appendix contains proofs of theorems presented in Section 4. The proofs are presented in an 
order different from the order of theorems in the main body of the paper because of dependencies 
in the proofs. 

Lemma B.l (Monotonicity) . C > C and C \= if imply C \= (p. 

Proof. By induction on (p. □ 
Lemma B.2 (Consistency). For all C and <p, either >C ^ or C^Tp. 

Proof. By induction on (p. □ 

Theorem B.3 (Correctness of sat; Theorem 4.5). If sa.t{C,c) is defined then for any substitution 
a' with dom((T') 5 fv(c), C \= ca' iff there is a substitution a G sat(£,c) such that a' > a. 

Proof. By induction on c and case analysis of its top-level constructor. 
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Case, c = Po{ti, ■ ■ ■ ,tn)- Then, sat(£, c) = sat(£, c). The result fohows from the condition that 
sat is required to satisfy (Section 4.3). 

Case, c = T. Then, sat(i2,c) = {•}. If C \= ca', a' trivially extends • by definition. Conversely, 
any substitution a' trivially satisfies C \= Ta'. 

Case, c = _L. Then, sat(/3,c) = {}. The result is vacuously true in both directions because 
C ^ ±a', and a' ^ {}. 

Case, c = ci A C2. Then, sat(£,c) = Ucriesat{£ ci) + sat(£, C20"i). Clearly, if this exists, then 
sat(£, ci) must be defined also, and for each ai € sat(>C,ci), sat(£, C2(Ti) must also be defined. 

Suppose C \= (ci A C2)o"'. By definition of \=, we get C \= c\a' and £ |= 020' . By the 
i.h., the former implies that there is a cji € sat(£,ci) such that a' > ai. This also implies 
that C2cr' = (c20"i)(t'. So, C \= C2cr' implies C \= {c2(Ji)cr' . Consequently, by the i.h. on C2CT1, 
there must be a cr2 G sat(£, C20"i) such that a' > (T2. It follows that cr' > ai + a2- Clearly, 
(cJi + CJ2) e (cJi + sat(£, C2CT1)) C (Ua-^gi^(£^ci) '^1 + sat(£, C2(Ji)) = sat(£, c), as required. 

Conversely, suppose that there is a a € U<jiGsat(£ ci) ^1 + sat(£, C2cri) and a' > a with 
dom(cj') I) fv((T). We need to show that C \= [ci /\ 02)0' or, equivalently, L |= c\a' and L ^ 020' . 
By set-theory, there must be a cii G sat(£,ci) and a CJ2 € sat(£,C20"i) such that cj = ai + 02- 
Clearly, a' > ai. So, by the i.h., we immediately have C \= cia' . Similarly, a' > 02- So, by i.h. on 
C2<Ti, C \= C2(Tia' . But, C20"icj' = C20"'. Therefore, C \= C20"'. 

Case, c = ci V C2. Then, sat(£,c) = sat(>C,ci) U sat(£, C2). If this is defined, then, clearly, both 
sat(>C, ci) and sat(£,C2) must be defined. 

Suppose £ 1= (ci V 02)0-'. By definition of we get that either C \= cia' or £ ^ C2(j' . 
We consider here the former case (the latter is similar). So £ ^ cicx'. By the i.h., there is a 
a G sat(£, ci) such that a' > ai. The proof is complete by noting that cJi G sat(£, ci) € sat(£, c). 

Conversely, suppose that there is a cr G sat(£, ci) Usat(£, C2) and a' > cj with dom(cj') 2 fv(cr). 
We need to show that £ |= (ci V C2)a' or, equivalently, either £ \= cia' or £ \= 020' . From 
o G sat(£,ci) U sat(£, C2), we get that either a G sat(£,ci) or a G sat(£, C2). Consider the 
former case (the latter is similar): a G sat(£,ci). By i.h. on ci, we immediately get £ |= cicj', as 
required. 

Case, c = 3x.c'. Then, sat(£, c) = sat(£, c')\{x}. If this is defined, then, clearly, sat(£, c') must 
also be defined. 

Suppose £ 1= (3x.c')cj'. By definition of ^, there must be a i such that £ \= c'[t/x]cj'. By 
i.h. on c', there must be a cj G sat(£,c') such that {a' + [x t]) > a. Clearly, a' > a\{x} and 
cr\{x} G sat(£,c), as required. 

Conversely, suppose that there is a cr G sat(£, c')\{x} and a' > a with dom((j') ^ fv(c). We 
need to show that £ \= ca' . Because a G sat(£, c')\{x}, there is a a" G sat(£, c') and a t such 
that cr" = (J + [x 1-^ t] . Clearly, a' + [x t] > a + [x t] = a". By i.h. on c', £ |= c'[t/x]cr', which 
implies (by definition of \=) that £ ^ (3x.c')cr', i.e., £ ^ ca'. □ 

Lemma B.4 (Duality of reduce). reduce(£,^) = reduce(£, (/?). 
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Proof. By a straightforward induction on ip. We show some representative cases below. 
Case, if = P. Then, 

r T iipc{p) = tt 

reduce(/:,P) = <^ _L ifp£(P) = ff 
( P if p£(P) =uu 

We consider all three possible subcases on pc{P)- If Pc{P) = then, by definition, pc{P) = ff , 
so reduce(>C,P) = _L = T = reduce(£, P). The case of pc{P) = ff is similar. For pc{P) = uu, we 
have pc{P) = 11U, so reduce(>C,P) = P = reduce{C, P). 

Case, (f = Vx.(c D 93'). Then, reduce(>C, 93) is calculated as follows: 

reduce(>C, Vx.(c D 93')) = let 

{cJi, . . . ,cj„} ^ sat(£,c) 

S ^ {ti, . . . , tn} 

{il^i ^ reduce(/:,(^'[t7/:?])}r=i 
■0' ^ Vx.((c A X ^ 5) D 99') 
return 

■01 A ... A V'n A -0' 

Note that Tp = 3x.{c A if'). Consequently, reduce(£,^) is calculated as follows, where we have 
renamed some bound variables to distinguish them from those in the above display. 

reduce(£, 3x.(c A 99')) = let 

Wi,- ■■,(^n} ^ sat(/:,c) 

S'^{t[,...,tl}_ 

{V^,'^reduce(£,^'K/x])}ti 
ij" ^ 3x.{{c A X <^ S') A if') 
return 

ip[y ...y tp'^v ij" 

We must have cjj = a- (because both are calculated using sat(>C,c)) and, consequently, ti = t'- 

and S = S'. Thus, by the i.h., we get that reduce{C, ip'[ty x]) = reduce{C,ip'[ti/x]), i.e., tp'^ = tpi. 
Also observe that directly from definition of duality, = tp' . Thus, reduce(£,^) = V ... V 
-(/j^^ V V" = ?i V . . . V VvJ^ V = V^i A . . . A Vn A ^/;' = reduce(/:,(^). □ 

Theorem B.5 (Correctness of reduce; Theorem 4.2). // reduce(>C, (^) = ijj and C > C, then 

(1) C'^^iffC'^i^ and (2) C iff C ^ ^. 

Proof. First observe that (1) implies (2). Why? Suppose (1) holds for all (p. We need to show that 

(2) holds. So suppose reduce(>C, (^) = il) and C > C. By Lemma B.4, reduce(£,^) = ^p. Applying 
the assumed (1) to ^ instead of (p, we immediately deduce that C ^ ^ iff £' \= 'ip, as required. 

Hence, we only need to prove (1). We do that by induction on ip, and a case analysis of its 
top-level constructor. 
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Case. If = P. Then, 

r T ifp£(p) = tt 

reduce{C,ip) = < -L ii pc{P) = H 
[ P if pc{P) = uu 

We consider three subcases on the value of pc{P)- 

Subcase. pc{P) = "tt- Here, ^ = T. First, assume that C \= ip. Then, we need to prove that 
C \= Ip, i.e, C \= T. This follows directly from the definition of \=. Conversely, assume that 
£' 1= Ip. We need to prove that C \= P. By definition, this is equivalent to proving pc>{P) = tt, 
which follows immediately from the subcase assumption pc{P) = "tt and the assumption C' > C. 

Subcase. pc{P) = ff ■ Here = _L. First, assume that C' \= ip. We need to show that C \= ip. 
From the subcase assumption, we have pc{P) = ff ) so the definition of £' > £ implies that 
PC'{P) = ff- However, C \= if implies C \= P, i.e., pc'{P) = tt - a contradiction. Thus, C \= ^/J 
holds vacuously. 

Conversely, suppose that C \= ip, i.e., C \= _L. By definition of |=, this is a contradiction, so 
C \= if holds vacuously, as required. 

Subcase. pc{P) = uu. Here, (p = ip = P, so the case is trivial. 

Case, if = T. Then, tp = reduce(>C, ip) = reduce(>C, T) = T. Since ip = ip, the case is trivial. 

Case. 99 = _L. Then, tp = reduce(>C, ip) = reduce(£, _L) = _L. Since (p = ip, the case is trivial. 

Case, ip = ipi A ip2- Then, ip = reduce(£, 991) A reduce{C,ip2), so both the conjuncts exist. 
First, suppose that C \= (p, i.e., C \= ipi and C' \= (p2- By the i.h., C \= reduce{C, cpi) and 
C \= reduce{C, ip2) or, equivalently, C \= ip. 

Conversely, suppose that C \= tp. Then, C \= reduce(£, (^1) and C \= reduce{C, ip2). By the 
i.h., C \= ipi and C \= ip2, i-e., C \= ip. 

Case, ip = ipi V ip2. Then, tp = reduce(£, (^1) V reduce{C,(p2), so both the disjuncts exist. First, 
suppose that C' \= ip, i.e., either C \= ipi or C' \= ip2. By the i.h., either C' \= reduce(£, (^1) or 
C \= reduce(£, (^2)- Equivalently, £' \= ip. 

Conversely, suppose that C \= ip. Then, either C \= reduce(£, yji) or C \= reduce{C,ip2). By 
the i.h., either C \= ipi or C' \= ip2. Equivalently, C' \= (p. 

Case, (p = Vx.(c D p'). Then, ip = reduce{C,ip) is calculated as follows. 

reduce{C,yx.{c D ip')) = let 

{ai, . . . ,o-„} ^ sat(£,c) 
{tl ^ a.(f)}r=i 

S ^ {ti, . . . , tn} 

{ipi ^ reduce{C,ip'[ti/x])}f^-^ 
Ip' ^ Vx.((c A X ^ S) D ip') 
return 

ipl A ... Aijjn Alp' 
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So V = V'l ^ ■■■ ^ i'n A Vx.((c A X ^ S) D ip'). First, suppose that C \= if, i.e., C \= 
Vx.(c D v?')- We need to prove that C ^ V, i-e-, ^ and £' [= Vx.((c A x 5) D 99')- We 
first prove that C \= tpi. Because reduce{C,ip'[ti/x]) = ipi, by the i.h., it suffices to show that 
C \= tp'[ti/x]. Prom the definition of C \= Vx.(c D ip'), either C \= c[ti/x] or C \= ip'[ti/x]. Hence, 
it suffices to prove that C ^ c[ti/x]. Suppose, for the sake of contradiction, that C \= c[ti/x]. 
Since o-j G sat(jC,c), Theorem B.3 yields C \= cai, i.e., C \= c[ti/x] (note that because Vx.(c D 
is closed, fv(c) C x; so c[tj/x] = cuj). Hence, by Lemma B.l, C \= c[ti/x], which, by Lemma B.2, 
contradicts the earlier fact C \= c[ti/x\. 

Next, we show that C \= Vx.((c A x ^ S) D ip'). Following the definition of \=, pick any t. We 
show that either C' \= {c Ax ^ S)[t/x\ or C' \= ip'[t/x\. Since we assumed that C \= Vx.(c D 
either C \= c[t/x\ or C \= Lp'[t/x\. The proof is complete by observing that C \= c[t/x\ implies 
C ^ {c Ax ^ S)[t/x]. 

Conversely, assume that C \= ip, i.e., C \= ipi and C \= Vx.((c A x ^ S) D ip'). We need to 
prove that C \= ip, i.e., C \= Vx.(c D ip'). Following the definition of \=, pick any t. We need to 
prove that either C' \=c[t/x] or C \= ip'[t/x]. We consider two subcases. Either t & S or t ^ S. 

Subcase, t ^ S. Then, t = ti for some i. Since reduce{C,ip'[ti/x]) = ipi and C \= ip'', by the i.h. 
we get C \= ip'[ti/x], as required. 

Subcase, t ^ S. We already know that C \= Vx.((c A x ^ S) D ip'). So, either C \= 
{c A X ^ S)[t/x] or C \= ip'[t/x]. If the latter, we are done, so assume the former. Thus, C \= 
{c A X ^ S)[t/x], i.e., C \= c[t/x] V t G S. This immediately implies that either C \= c[t/x] or 
t £ S. The former case is sufficient for our purpose, and the latter case contradicts the subcase 
assumption. 

Case, ip = 3x.{c A ip'). Then, reduce{C,ip) is calculated as follows. 

reduce(>C, 3x.(c A 93')) = let 

{(Ti, . . . ,fj„} ^ sat(/:,c) 

S {ti, . . . , tn} 

{ipi ^ reduce(£,(/3'[t;/x])}^^^ 
Ip' ^3x.{{cAx^S) a/) 
return 

ipiv ...y Ipn^ Ip' 

So, Ip = Ipi y . . . y ipn V 3x.((c A X ^ S) A ip'). First suppose that C' \= ip. We show 
that C \= Ip. Following the definition of ^ on £' ^ ip, we obtain a t such that C \= c[t/x] and 
C \= ip'[t/x]. We consider two subcases: either t & S 01 t ^ S. 

Subcase, t £ S. So, t = ti for some i and from C' \= ip'\f/x\ we obtain C' \= ip'\ti/x\. Since 
re6uce{C,ip'\ti/x\) = ipi, by the i.h., we get C \= ipi, which immediately implies C \= ip. 

Subcase, t ^ S. Combining this and C \= c[t/x], we get C \= [c A x ^ S)[t/x]. Since C \= ip'[t/x], 
we derive from the definition of \= that C' \= 3x.{{c A x ^ S) A ip'). This immediately yields C \= ip. 
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Conversely, suppose that C \= ip. We show that C \= ip. C \= 'ijj imphes that either C \= ipi 
for some i or C \= 35;. ((c A x ^ S) A ip'). We consider both subcases below. 



Subcase. C \= ipi. Since reduce{C,ip'[ti/x]) = ipi, by the i.h., C \= ip'[ti/x]. Further, observe that 
because ai G sat(/3,c) and doni(cjj) 5 x 5 f'^(c) (the latter because 3x.(c D cp') must be closed). 
Theorem B.3 yields C \= cai and, hence, £ \= c[ti/x\. By Lemma B.l, C \= c\ti/x\. Since we have 
already derived C \= Lp'{ti/x\, the definition of \= yields that C \= 3x.(c A tp'), as required. 

Subcase. C \= 3x.((c A x ^ S) A p'). Thus there must be a t such that C \= c[t/x\, t S, 
and C \= ip'\t/x\. The first and third facts in the last sentence imply that C \= 3x.[c A (p'), as 
required. □ 

Theorem B.6 (Totality of sat; Theorem 4.7). If xi ^ ^ : Xd then for all structures C and 
all substitutions a with dom(fj) 5 xi; sat(£, ccr) is defined and, further, for each substitution 
a' € sat (jCjCct), x/ U dom(cj') 2 Xo- 

Proof. By induction on the given derivation of x/ l~ c : XO and case analysis of its last rule. 



Case. 



V/c G /(po). fv(tfc) C X/ xo = X/U( U fv(t,)) 



XI \- Po{ti,---,tn) : XO 

We are given a such that dom{a) ^ xi- From this and the first premise it follows that 
V/c € I{po)- ground(tfc(T). Thus, by definition, saLt{C,po{ti, . . . ,tn)cr) is defined. Consequently, 
sa.t{C,po{ti, . . . ,tn)o'), which equals sa.t{C,po{ti, . . . ,tn)cr) is also defined. Pick any a' G 
sa.t(C,po{ti, . . . ,tn)(T). By definition of sat, dom(cr') ^ IJ^gQ^p^) f v(tj). Consequently, X/ U 
dom{a') 2 X/ U (UjeO(po) -^^(^i)) — ^O' where the last relation follows from the second premise. 

Case. 



X/ ^ T : X7 

Suppose dom(cr) ^ xi- Note that sat(£,Tcj) = sat(>C,T) = {•} is always defined. If a' G {•}, 
then a' = •. Clearly, xi U doni(cr') = x/ U doni(») = Xl = XO- 

Case. 



X/ ^ -L : X/ 

Suppose dom((T) ^ x/- Note that sat(£, _Lcj) = sat(£, _L) = {} is always defined. Because there 
cannot be a a' G {}, the rest of the proof holds vacuously in this case. 

„ X/ ^ ci : X X ^ C2 : XO 
Case. 

X/ H ci A C2 : XO 

Suppose dom(a) ^ xi- By i.h. on the first premise, sa.t{C,cia) is defined. Let sa.t{C,cia) = 
{fji, . . . , (T„}. Also by the i.h., xi U dom((Ti) ^ x- Call this fact (A). Since dom(cr) 2 X/; fact 
(A) implies dom{a + CTj) 5 x- Using the latter, by i.h. on the second premise and each of 
{fj + (Ti, . . . , o" + (T„}, we obtain that each of sat(>C, C2crai) are also defined for each i and Vo"^ G 
sat(£, C20"crj), x U dom((T^) ^ xo- Call the last fact (B). We immediately have that sat(£, (ci A 
C2)o-) = UaiGiIt(£,cia) s^i^,C2crai) is also defined. 

Pick any a' G sat(i2, (ci A C2)cr). Then for some i and some cr^ G sat(£, C20"(Tj), we have 
0"' = (Tj + (T^. We want to show that xi U dom((T') ^ xo- Or, equivalently, x/ U dom((Tj + o"^) ^ xo- 
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However, X7'Udom((Tj +(T-) = x/Udom(cri)Udom((T-) 5 xUdom((j,') ^ XO: where the last two relations 
follow from facts (A) and (B), respectively. 

„ X/ ^ ci : xi X/ ^ C2 : X2 
Case. 

X/ K ci V C2 : Xi n X2 

Suppose dom((T) ^ x/- By i.h. on the first premise, sat(£, cicr) is defined and Ma' G sat(£, cicr), 
X7Udom(c'"') 5 xi- Call this fact (A). Similarly, by i.h. on the second premise, sat(£, C20") is defined 
and Vcr' € sat(/3, C20-), xi U doni(cj') 3 X2- Call this fact (B). By definition of sat, sat(£, (ci V 
C2)o') = sat(£,cicj) U sat(£,C2cr) is defined. 

Pick any a' € sat(£,ci cr) U sat(£,C2cr). We want to show xi U dom(cr') 5 xo- Either 
cr' G sat(i2,ci(T) or cr' G sat(£,C2cr). Consider the former case (the other case is similar). We 
have XI U doiii((T') 2 Xi 2 Xi l~l X2 = Xo-, where the first relation follows from fact (A). 

„ X/ ^ c : Xo 
Case. 

XI ^ 3x.c : Xo\{^} 

Suppose doni((T) ^ xi- By i.h. on the premise, sat(>C,ccj) is defined and Vcr" G sat(>C,C(T), 
X/ U dom((T") 5 Xo- Call the latter fact (A). By definition of sat, sat(>C,3x.c) = sat(£, c)\{j;} is 
defined. 

Pick any a' G sat(£, c)\{x}. We want to prove that xi U dom(cr') 5 Xo\{^}- However, 
a' G sat(i2, c)\{x} implies (by definition) that there is a a" G sat(£, c) such that a' = a"\{x}. 
Thus, xi U dom(cr') = x/ U (dom(cr")\{2;}) ^ Xo\{^}- '^^^ ^^^^ inclusion follows from fact (A). □ 

Lemma B.7. If xi ^ c : xo> then xo ^ X/ U fv(c). 

Proof. By a straightforward induction on the given derivation of x/ l~ c : xo ■ D 
Lemma B.8 (Mode substitution). The following hold: 

1- IfXl^c: xo, then x/\dom(cj) h ca : xo\dom(cj). 
2. If x^ ^> then x\dom((T) h (/3cr. 

Proof. By induction on the given derivations of x/ l~ c : xo and X I" 'z'- D 
Lemma B.9 (Mode weakening). The following hold: 

1. If XI ^ c : Xo CLiT-d x'l 5 XI ! then there is a x'o — XO such that X/ l~ c : Xq- 

2- Ifx^^ and x' 2 X, then x' ^ ^■ 

Proof. By induction on the given derivations of x/ l~ c : xo and x^ V- D 

Theorem B.IO (Totality of reduce; Theorem 4.8). If\~^p then there is aip such that reduce(£, (p) = 

ip and h ip. 

Proof. We prove a more general result: li x ^ V and dom{a) ^ X) then there is a V such that 
reduce(£, <y9(T) = ipa and x ^ i^- The statement of the theorem follows by choosing X = {} and 
0" = • in this result. We proceed by induction on the assumed derivation of x l~ V) and case analysis 
of its last rule. 
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Vk. fv(tfc) C X 

Case. 

p{ti,...,tk) 

Here, 93 = p{ti, . . . Suppose dom((j) 5 x- Due to the premise, p{ti, . . . ,tn)(7 is ground. 

Hence, sat(£,p(ti, . . . , t„)(T) is defined. Depending on whether it is tt, ff, or uu, 
reduce{C,p{ti, . . . ,tn)o') is T, _L or p{ti, . . . ,tn)cr respectively. Accordingly, we choose ip = T, 
^|J = ± 01 ip = p{ti, . . . , tn)- In each case, X I" V'- 

Case. 



Here, ip = T. Suppose dom{a) ^ x- Clearly, we can choose tp = T because reduce(£, To") = 
T = tjja and x h T, i.e., i^- 

Case. 

Here, ip = ±. Suppose dom{a) 2 X- Clearly, we can choose V = -L because reduce(>C, -La) = 
_L = ipa and x I" -L, i-e., X I" V'- 

„ X^ m X^ ^2 
Case. 

X H A (/72 

Here, = cpi A 992- Suppose doni(cj) ^ x- By i-h- on the first premise, there is a V'l such that 
reduce{£.,ipia) = ipia and x ^ V'l- Similarly, by i.h. on the second premise, there is a "02 such 
that recluce(>C, (^20") = 1^20' and x l~ By definition of reduce, reduce(£, (^u) = reduce(/I, ((/^i A 
^2)'^) = reduce(£, v^io") A reduce(>C, (^20") = ipicr A 7/^20-. Further, x I" ''Ai "02 follows from x I" V'l 
and X I" V'2- So we can choose = 0i A 02- 

„ X ^ V'l X ^ 9^2 
Case. 

X h (^1 V 992 

Here, 99 = V 992- Suppose doni(cj) ^ x- By i.h. on the first premise, there is a V'l such that 
reduce(>C, 991O") = ipia and x ^ "01- Similarly, by i.h. on the second premise, there is a ip2 such 
that reduce(>C, 992<7) = 02<7 and x l~ ^2- By definition of reduce, reduce(£, 9917) = reduce(£, (9?! V 
9^2)0') = reduce(£, 99icr) V reduce(>C, 972O") = 0icr V ip2(^- Further, x I" ''Ai V ?/'2 follows from x I" V'l 
and '^2- So we can choose = 0i V 02- 

^ X ^ c : xo ^ ^ XO f v(c) C X U X Xo ^ ^' 
Case. 7; 

xHVx.(cD99') 

Here, 99 = \/x.{c D ip'). Suppose dom(cr) ^ x- By Theorem B.6 on the first premise, there is a set 
{cJi, . . . = sat(£, ccr) such that for each Uj, x U dom((Ti) 5 xo- Call the latter fact (A). From 
the second premise and fact (A) we also derive that xUdom((Tj) ^ x. Since x must be chosen fresh 
in the premise, this also implies that dom((Tj) ^ x. Consequently, ai{x) is defined. Let ai{x) = ti 
and let S = {ti, . . . ,tn}- Further, note that by Lemma B.7 on the first premise, xo ^ X U fv(c). 
Hence, from the third premise we obtain xo CIxUxUx = xUx. So, dom{a) U x D X U x 3 XO- 
Call this fact (B). From the i.h. applied to the last premise and fact (B) we get the existence of ipi 
such that reduce(>C, 99'(T[ij/x]) = ipicr[ti/x] and xo l~ Call this fact (C). 

By definition of reduce, we obtain reduce(£, 99cr) = ipia[ti/x] A ... A ^pnc[tn/x] A ijj'a, where 
Ip' = Vx.((c A X ^ S) D 99'). Choose ip = ipi[ti/x] A ... A ipnitn/x] A ip' . It only remains to show 
that X I" V'- This is equivalent to showing that x l~ i^i[ti/x] and x ^ 0'- The latter, which is equal to 
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X l~ Vx.((c A x ^ S*) D 99'), follows from the four premises of the rule above. It remains to show that 
X I" i^ilti/x]. Applying Lemma B.8 to fact(C), we derive that xo\x l~ '^i[ti/x\. Since we already 
derived that xo C ^ U x, we also have xo\^ Q X- Hence, by Lemma B.9, we get x ^ ipi[ti/x], as 
required. 

„ c:xo xCxo f v(c) C X U f XO ^ ^' 
Case. ; J- 

xH3x.(cA V?) 

Here, = 3x.{c A 93'). Suppose dom(cj) 2 X- Hy Theorem B.6 on the first premise, there is a set 
{cJi, . . . ,<7n} = sat(£, ccr) such that for each cjj, x U dom((Tj) I) xo- Call the latter fact (A). From 
the second premise and fact (A) we also derive that x U dom(o"i) 3 x. Since x must be chosen fresh 
in the premise, this also implies that dom(a"j) D x. Consequently, o"j(x) is defined. Let (7j(x) = tj 
and let S = {ti, . . . ,tn}- Further, note that by Lemma B.7 on the first premise, xo ^ X U fv(c). 
Hence, from the third premise we obtain xo ^XUxUx = xUx. So, dom{a) U x ^ x U x 5 XO- 
Call this fact (B). From the i.h. applied to the last premise and fact (B) we get the existence of tpi 
such that reduce{C,ip'a[ti/x]) = tpia[ti/x] and xo l~ V'i- Call this fact (C). 

By definition of reduce, we obtain red u ce (£, (/?cr) = ipia[ti/x] V ... V ipncitn/x] V ip'a, where 
Tp' = 3x.((c A X 5) A if'). Choose tp = ipi[ti/x] V ... V ipn[tn/x] V ^p' . It only remains to show 
that X I" V'- This is equivalent to showing that x ^ i^iiti/x] and x ^ The latter, which is equal to 
X l~ 3x.((c A X 5) A 93'), follows from the four premises of the rule above. It remains to show that 
X l~ ipi[ti/x]. Applying Lemma B.8 to fact(C), we derive that xo\x l~ ipi[ti/x]. Since we already 
derived that xo ^ X U x, we also have xo\x Q X- Hence, by Lemma B.9, we get x l~ ipi[ti/x], as 
required. □ 

Lemma B.ll (Totality of atoms). Suppose x^ f c-'iT-d dom(cj) 5 x- Then, atoms(£, ipa) is defined 
and ground. 

Proof. By induction on the given derivation of x l~ and case analysis of its last rule. 

VA;. fv(tfc) C X 

Case. 

X^ p{ti,...,tk) 

Here (p = p{ti, . . . ,tk). From the premise and given condition dom{a) ^ X) we know that 
p{ti, . . . ,tk)(7 is ground. Clearly, then atoms(>C,p(ti, . . . , tfc)(T) = {p{ti, . . . ,tf^)a} is defined and 
ground. 



Case. 

XHT 

Here (p = T. So atonis(£, (pa) = atoms(£, T) = {} is defined and ground. 

Case. 

XH± 

Here 99 = _L. So atoms(>C, (pa) = atoms(£, _L) = {} is defined and ground. 

„ X ^ X^ ^2 
Case. 

X h A 932 

Here tp = ipi A ip2- By the i.h. applied to the premises, atoms(£, (fia) for i = 1, 2 is defined and 
ground. It follows that a.toms{C, (pa) = atoms(£, (/3icr A (P20') = atoms(£, (/jicj) U atoms(£, (/32c) is 
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also defined and ground. 



Case. 

Here 93 = 931 V (^2- By the i.h. applied to the premises, atoms(iZ, ipia) for f = 1, 2 is defined and 
ground. It follows that atoms(/3, (/^a) = atoms(£, (/3icr V ip2<y) = atoms(£, (/Jicj) U atoms(£, (/32c) is 
also defined and ground. 

„ X ^ c : xo xClxo f v(c) (Ix^x Xo^ "p' 

Case. 

X H Vf.(c D if ) 

Here (/? = Vx.(c D (^'). By Theorem B.6 on the first premise and the given condition dom(cj) 5 x, 
sat(£, ccr) is defined and for all a' € sat(>C, ccr), xUciom((T') 5 xo- The latter implies that for all a' € 
sat(i2, CO"), doiii(cjcr') ^ xo- By i.h. on the last premise, for each a' G sat(£, ccr), atoms(£, ip'aa') is 
defined and ground. Hence, by definition, atoms(>C, yjcj) = Uo-'gSi[t(£,c(j) atonis(>C, c/jVcj') is defined 
and ground. 

„ X ^ c : xo ^ ^ XO f v(c) C X U X Xo'r if' 

Case. ; 

X K 3f.(c A ¥?') 

Here = 3x.(c A 99'). By Theorem B.6 on the first premise and the given condition dom(cr) 5 X; 
sat(£, ccr) is defined and for all a' G sat(>C, co"), xUdom(o"') 5 xo- The latter implies that for all cr' G 
sat(£, ccr), dom(crcr') 5 xo- By i.h. on the last premise, for each cr' G sat(£, ccr), atoms(£, ip'aa') is 
defined and ground. Hence, by definition, atoms(>C, yjcr) = Uo-' gilt (£ co-) atoms(>C, yj'crcj') is defined 
and ground. □ 

Theorem B.12 (Minimality; Theorem 4.3). Suppose h 93 and reduce(>C, 99) = if). Then atoms(>C, tp) C 
atoms (£, 99) n {P | P£(P) = uu}. 

Proof. By Lemma B.ll, atoms(£, (/9) is defined. Further, by Theorem B.IO, h ■0, so atoms(£,^) is 
also defined. Hence, the statement of the theorem makes sense. We prove the relation atoms(>C, tp) C 
atoms(£,(/?) n {P \ pc{P) = ^'^} by induction on ip and case analysis of its form. Let U = 
{P I Pc{P) = liu}. We want to show that atoms(>C, '(/') C a.toms{C,ip) D U. 

Case, (f = P where P is either a subjective or an objective atom. We perform a sub-case analysis 
on pc{P)- 

Subcase. pc{P) = tt. Then, = T. So, trivially, atoms('0) = {} C a.toms{C, cp) n U. 

Subcase. pc{P) = ff- Then, ^ = _L. So, trivially, atoms('(/') = {} C atoiiis(£, 99) fi f7. 

Subcase. pc{P) = uu. Then, ip = P. Further, in this case, atoms(£,^) = {P} = atoms(>C, 99) and 
P GU (the latter by definition of U). Clearly, atoms(£, ■!/;) C atoms(£, c/p) n [/. 

Case. 99 = T. Here, '(/' = T. So, trivially, a.toms{'ip) = {} Q atoms(£, 99) n U. 

Case. = ±. Here, = ±. So, trivially, atoms(7/j) = {} C atoms(£, p) D U. 
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Case, ip = ipi f\ ip2. Then, il) = reduce(£, (/^i) A reduce(£, (/72)- By inversion on the derivation 
of h if, we know that h ipi and h ip2- Hence, by the i.h., for i = 1,2, atonis(>C, reduce(>C, C 
atoms(£, (/9j)n[/. Thus, we have, atoms(£, ■0) = atoms(/3, reduce(jC, (/9i))Uatonis(/3, reduce(/3, (/?2)) ^ 
(atoms(£, ipi) r\U)U (atoms(>C, ^p2) r\U) = (atoms(>C, ipi) U atoms(£, 992)) n C/ = atoms(>C, 93) PI U . 

Case, if = (pi y (/?2- Then, ip = reduce(/^, 991) V reduce(/3, 992)- By inversion on the derivation 
of h 99, we know that h 991 and h ip2- Hence, by the i.h., for i = 1,2, atoms(i2, reduce(>C, (/?,,)) C 
atoms(£, 99j)nC/. Thus, we have, atoms(£, ■0) = atoms(£, reduce(£, 99i))Uatoms(i2, reduce(i2, 992)) ^ 
(atoms(£, 991) PI [/) U (atonis(>C, 992) n [/) = (atonis(>C, 991) U atoms(£, 992)) n [/ = atoms(>C, 99) PI U . 



Case. 99 = Vx.(c D 99'). Then, 



= reduce(£, 93) = let 

{fji, . . . ,o-„} ^ sat(/:,c) 
{U ^ a,(x)}ti 

5 ^ {tl, . . . , tn} 

{0i ^ reduce(/:,99'[tl/f])}f^^ 
-0' ^ Vf.((c A f ^ 5) D if') 
return 

01 A ... A 0„ A 0' 



By inversion on the given derivation of h 99, we know that there is a xo such that (1) {} h c : xOi 
(2) X C ;yo, (3) fv(c) C X, and (4) xo ^ V^'. By Lemma B.7 on (1), xo C fv(c). From this, (2), 
and (3), it follows that x = tv[c) = xo- Call this fact (A). Using Lemma B.8 on (4), we get 
Xo\x l~ 99'[tj/x]. This and fact (A) imply that h 99'[tj/x]. Call this fact (B). By the i.h. on fact (B) 
and ^pi ^ reduce(>C, 99'[tj/x]), we get that a.toms{C, ^pi) C atoms(£, 99'[tj/x]) nU. Call this fact (C). 

Next, ^{C, {cAx^S)) = U.'eSSt(£,c)(^' + ^{^,<t'{x) S)) = [j'l^M + ^{^,tl S)) = 
Ur=i('^» + {}) = {}. Hence, by definition, atonis(£,0') = atonis(>C, Vx.((c A x ^ S) D 99')) = {}. 
CaU this fact (D). 

Also, atoiiis(>C, 99) = atoms(£, Vx.(c D 99')) = U(TGsat(£,c) 3.toms{C,ip'a) = UILi ^itoms^C, ip'ai) = 
IJ"^-^ atoms(>C, 99'[tj/x]) (the last equality follows from fv{(p') C x, which in turn follows from 
fact (B)). Call this fact (E). 

Finally, we have, 

a.toms{C,tjj) = atoms(£, -01 A ... A -^n A 0') 

= atoms(>C, -0') U (UILi =Ltonis(>C, -^j)) (Defn. of atoms) 
= {}U(Ur=iatoms(£,0;i)) (Fact (D)) 

= ur=i atoiiis(£,0;i) 

C U['^^(atoms(/:,(^'[t;/x]) nf/) (Fact (C)) 

= (Ur=i atoms(£, ^'[U/x])) D U 

= a.toms{C,ip) nU (Fact (E)) 
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Case. (/9 = 3x.{c A ip'). Then, 

ip = reduce{C,ip) = let 

{fji, . . . ,cr„} ^ saX{C,c) 

S ^ {ti, . . . , tn} 

{t/ji ^ reduce{C,ip'[ti/x])}f^^ 
i>' ^ 3x.{{c Ax ^ S) Aip') 
return 

V'l V . . . V ^/-^ V V'' 

By inversion on the given derivation of h we know that there is a xo such that (1) {} h c : xo^ 
(2) x C xo^ (3) fv(c) C X, and (4) xo l~ V''- By Lemma B.7 on (1), xo ^ fv(c). From this, (2), 
and (3), it follows that x = fv(c) = xo- Call this fact (A). Using Lemma B.8 on (4), we get 
Xo\x \~ ^'[ti/x\. This and fact (A) imply that h ip'[ti/x\. Call this fact (B). By the i.h. on fact (B) 
and -01 ^ reduce(/I, (/^'[tj/x]), we get that atoms(£, ■i/'i) ^ atoms(£, (/^'[tj/x]) n^7. Call this fact (C). 

Next, ^^{C, {cAx^S)) = U.'6Sit(/:,c)(^' + ^{C,a'{x) S)) = U^=l('7^ + 5)) = 

Ur=i('^« + {}) = {}. Hence, by definition, atoms(£,'0') = atoms(/3, 3x.((c A x S") A Lp')) = {}. 
Call this fact (D). 

Also, atoms(£, ip) = atoms(£, 3x.(c A p')) = U<jesat(£ c) atoms(/I, 99' cr) = ljr=i atoms(>C, (/j'tij) = 
IJ"^;^ atonis(£, (the last equality follows from fv{ip') C 5;, which in turn follows from 

fact (B)). Call this fact (E). 

Finally, we have, 

atonis(£,'0) = 



C 



□ 



atonis(£, V'l V . . . V V'n V ^/^ ) 
atoms(£,'0') U (IJ"=i atonis(/3, -0^)) (Defn. of atoms) 
{}^U (Ur=i atoms(/:, iJi)) (Fact (D)) 

U^=i a.toms{C, ipi) 

Ur=i(atoms(/:, ip'[ti/x]) n U) (Fact (C)) 

(Ur=iatoms(£,^'[t;/x]))n?7 

atoms(/:, n [/ (Fact (E)) 



C Proofs from Section 5 

This appendix contains proofs of theorems presented in Section 5. 

Lemma C.l. Suppose ip does not contain any quantifiers or objective atoms. Then, ip — )■* tp' such 
that (1) tp' is either T, or ±, or contains only subjective atoms and the connectives A, V, and 
(2) For all structures C, C\= ip iff C\=ip' and C\= ip iff C\= ij)' . 

Proof. By induction on ■0. If is either T, _L, or P5, we can choose tp' = ip. 

If Ip = ipi A ip2, then we inductively rewrite both ipi and 'ip2 to ip[ and 'ip2, respectively. Thus, 
ipi A 'ip2 ip[ A tp'2. If either ip'^ or tp2 equals _L, then ip'^ A tpi'2 ^ 1. and we choose ip' = _L. If 
ip'i = T , then ip'^ A ■02 ~^ 5 ^o we can choose tp' = ip2. Similarly, if ■02 = T, then ip[ A ip 2 ^ ip[, so 
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we can choose ■0' = V'l- Finally, if both ip[ and ■02 contain only subjective atoms and connectives 
A, V, then we choose -0' = V^i "02- 

The case of 0' = V'l V 02 is similarly handles. No other cases apply. □ 

Lemma C.2. If C is objectively-complete, then for all restrictions c, either C \= c or C \= c. 

Proof. By induction on c. □ 

Lemma C.3. If C is objectively- complete and C > C, then for all restrictions c, C \= c iff C \= c. 

Proof. Suppose C > C. Observe that because C is objectively-complete, C and C agree on valua- 
tion of objective atoms, which are the only atoms in c. The result now follows by a straightforward 
induction on c. □ 

Theorem C.4 (Theorem 5.2). Suppose C is objectively-complete, h (p and il^ = reduce{C,ip). Then 
— )•* 0', where (1) ip' is either T, or _L, or contains only subjective atoms and the connectives A, 
V, and (2) For all C >C, C iff C ^ 0;' and £' iff £' ^ 0/. 

Proof. By induction on ip and case analysis of its form. Define simp(0^') to mean statement (1) of 
the theorem, i.e., that 0' is either T, or ±, or contains only subjective atoms and the connectives 
A, V. Define equiv(£, 0^, 0^') to mean statement (2) of the theorem, i.e., for all C > C, C \= ip iff 
C ^ 0;' and £' ^ 0^ iff ^ 0/. 

Case, if = Pq. In this case, pc{Po) £ {■t't,ff} and, accordingly, = T or 0; = _L. So we can 
choose Ip' = to trivially satisfy both (1) and (2). 

Case, if = Ps- In this case 0^ = T or 0; = _L or 0; = P5. So we can choose 0' = to trivially 
satisfy both (1) and (2). 

Case, if = T. Then, = T. We choose 0' = to trivially satisfy both (1) and (2). 

Case. 99 = ±. Then, = _L. We choose 0' = to trivially satisfy both (1) and (2). 

Case, ip = ipi A ip2. Then, = 0i A 02, where ipi = reduce{C,ipi) for i = 1,2. By inver- 
sion on the given derivation of h tp, we deduce h tpi and h (p2. Hence, from the i.h., 0j — )>* 0. 
where simp(0^) and equiv(£, 0^, 0^). The last fact implies that equiv(>C, 0, 0'^^ A 02). Further, 
= 01 A 02 ip'i A 02- Using Lemma C.l, we obtain a 0' such that 0^ A 02 — )■* 0', simp(0') 
and equiv(£,0']^ A 02,0')- The last fact and equiv(£,0,0^ A 02) imply equiv(>C, 0, 0'). So 0' 
satisfies all our requirements. 

Case. = y?! V <^2- Then, = 0i V 02, where 0j = reduce(>C, <y9j) for i = 1,2. By inver- 
sion on the given derivation of h ip, we deduce h p>i and h 932- Hence, from the i.h., 0j — ip'- 
where simp(0^) and equiv(>C, 0j, 0^). The last fact implies that equiv(/1, 0, 0'^^ V 02). Further, 
= 01 V 02 ip'i V 02. Using Lemma C.l, we obtain a 0' such that 0^ V 02 — ?•* 0', simp(0') 
and eqa±v{C,ip[ V 02,0')- The last fact and equiv(£, 0, 0^' V 02) imply equiv(£, 0, 0'). So 0' 
satisfies all our requirements. 
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Case, {p = \lx.{c D f'). Then, is calculated as follows: 

= reduce{C, If) = let 

{fji, . . . ,cr„} ^ saX{C,c) 
{ti ^ aj{x)}^ 

S ^ {ti, . . . , tn} 

{V'i ^ reduce{C,ip'[ti/x])}f^^ 
^P" ^yx.{{cAx ^ S) D if') 
return 

V'l A . . . A ■(/'ri A -0" 

By inversion on the given derivation of h we know that there is a xo such that (1) {} h c : xo, 
(2) X C xo, (3) fv(c) C f, and (4) xo I" ■ By Lemma B.7 on (1), xo C fv(c). From this, (2), 
and (3), it follows that x = fv(c) = xo- Call this fact (A). Note also that by Theorem B.6, 
dom(crj) 2 XO = ^- Call this fact (B). 

Next, we show that equiv(£, ^/^", T). Since for all C\ C \= T, it suffices to show that for all 
C > C \= \/x.{{c A X ^ S) D if'). By definition of |=, it suffices to prove that for all t and 
C > C, C \= c[t/x] A S, i.e., C \= c[t/x] y te S. lft = ti for some i, then C \= t £ S hy 
definition of S, so we are done. Hence, we need only consider the case where t ^ S. In this case 
we show that C' \= c[t/x]. By Lemma C.2, this is implied by C ^ c[t/x], so we show the latter. 
Suppose, for the sake of contradiction, that C \= c[t/x]. By Lemma C.3, C \= c[t/x]. Hence, by 
Theorem B.3, there is a u G sat(£, c) such that [x i— )■ > a. o" S sat(£, c) forces a = Ui for some 
i and, by fact (B), t = U. Hence, t = ti £ S, a contradiction. Therefore, equiv(£, -0", T). Call this 
fact (C). 

By Lemma B.8 on (4), we derive xo\^ ^ Using fact (A), we have h (p'[t/x]. Applying 

the i.h. to this and ipi ^ reduce(£, ip'[ti/x]), we know that there is a ip'^ such that tpi — >■* ip'^, simp('0^) 
and eq\i±v{C,ipi,ip'j). Call this fact (D). 

Note that V = A . . . A V'n A -0" ^* "^'i A . . . A A T (the second relation follows because 
ip" T). Further, because equ±-v{C,ipi,il>^) (fact (D)) and eqniv{/l,ip" ,T) (fact (C)), it follows 
that equiv(£, V', (^Ai A . . . A V'n A T)). Also, from fact (C), s±mp{'il)[ A ... A tp^ AT). The proof is 
complete by choosing the ip' obtained by applying Lemma C.l to V'l A . . . A V'n T. 

Case, if = 3x.{c A if'). Then, ip is calculated as follows: 

ip = reduce{C,ip) = let 

{(Ji, . . . ,o-„} ^ saX{C,c) 
{U ^ a,{x)}f=i 

S {h, . . . , tn} 

{tpi ^ reduce(/:,(^'[t"/x])}^^i 
^" ^ 3x.{{c Ax ^ S) Aip') 
return 

V'l V . . . V Vn. V Ip" 

By inversion on the given derivation of h we know that there is a xo such that (1) {} h c : xO) 
(2) X C xoi (3) fv(c) C X, and (4) xo l~ ^' ■ By Lemma B.7 on (1), xo ^ fv(c). From this, (2), 
and (3), it follows that x = fv(c) = xo- Call this fact (A). Note also that by Theorem B.6, 
dom(cjj) 5 Xo = ^- Call this fact (B). 
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Next, we show that equiv(>C, "0", _L). Since for all ^ _L = T, it suffices to show that for 

all a > C, C ^ 3K({^rKY^S)X^, i.e., C ^ Vf.((c A x ^ S) D yQ. B y definition of ^, it 
suffices to prove that for all t and C > C \= c\^/x\ At^S, i.e., C \= c[t/x] V t € S. If t = ti for 
some i, then C \= t S hy definition of S, so we are done. Hence, we need only consider the case 
where t ^ S. In this case we show that C \= c[t/x]. By Lemma C.2, this is implied by C ^ c[t/x], 
so we show the latter. Suppose, for the sake of contradiction, that C \= c[t/x]. By Lemma C.3, 
C \= c[t/x]. Hence, by Theorem B.3, there is a a € sa.t{C,c) such that [x t\ > a. o" S sat(£, c) 
forces a = ai for some i and, by fact (B), t = U. Hence, t = ti G 5, a contradiction. Therefore, 
equiv(£,V'",±). Call this fact (C). 

By Lemma B.8 on (4), we derive Xo\^ I" ^'[^l^]- Using fact (A), we have h Lp'[t/x\. Applying 
the i.h. to this and V'l ^ reduce(£, (p'\ti/x\), we know that there is a tp[ such that V'j — ^* V'i) simp(^^) 
and equiv(£, '00. Call this fact (D). 

Note that ^/j = ^/^i V . . . V V'n V "0" "0^ V . . . V V _L (the second relation follows because 
-0" ^ _L). Further, because equiv(/3, 0j, (fact (D)) and equiv(£, 0", ±) (fact (C)), it follows 
that equiv(/:, 0, (V'i V . . . V 0^^^ V ±)). Also, from fact (C), sinip(0i V ... V V ±). The proof is 
complete by choosing the tjj' obtained by applying Lemma C.l to 0)^ V . . . V -0^ V _L. □ 

Next, we turn to proofs of Theorems 5.4 and 5.5. Both theorems rely on a central lemma 
(Lemma C.ll). In order to prove the lemma cleanly, we need a few definitions and some other 
lemmas. Note that in the rest of this Appendix we assume that there are no subjective predicates. 

Definition C.5 (Protected restrictions). Let T be a set of time points (possibly non-ground). We 
define a subclass "T-protected" of restrictions c of the sublogic inductively as follows: 

1- Po(*i) • • • ) ^n, ''"o) is T-protected if tq G T 

2. X S" is T-protected 

3. T 7^ r' is T-protected 

4. in(r, t',to) is T-protected if tq € T 

5. T is T-protected 

6. _L is T-protected 

7. ci A C2 is T-protected if both ci and C2 are T-protected. 

8. ci V C2 is T-protected if both ci and C2 are T-protected. 

9. 3x.c is T-protected if c is T-protected. 

Definition C.6 (Protected formulas). Let T be a set of time points (possibly non-ground). We 
define a subclass "T-protected" of formulas ip of the sublogic inductively as follows: 

1- Po(ii) ■ ■ ■ 5 ^n, ''"o) is T-protected if tq € T 

2. T is T-protected 

3. _L is T-protected 
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4. ifi A ip2 is T-protected if both 991 and 932 are T-protected 

5. Lpi V ip2 is T-protected if both ipi and 932 are T-protected 

6. \lx.{c D if) is T-protected if c is T-protected and ip is T-protected 

7. Vr.((in(T, r', To) A c) D 93) is T-protected if c is T-protected, tq G T, and 93 is (T U {r})- 
protected 

8. 3x.(c A is T-protected if c is T-protected and 93 is T-protected 

9. 3r.((in(T, r', To) A c) A (/3) is T-protected if c is T-protected, tq G T, and 93 is (T U {r})- 
protected 

Lemma C.7 (Excluded middle for protected formulas). Let T, tq be ground. Suppose C is tq- 
complete and for all t ^T, t < tq. Then, the following hold. 

1. If c is ground and T-protected, then either C \= c or C \=c. 

2. If 93 is ground and T-protected, then either C\= ip or C\=Tp. 

Proof. Both statements follow by an induction on the respective definitions of T-protected. We 
show some representative cases below. 

Proof of (1). 

Case, c = po{ti, . . . ,tn,T) and t £ T. By definition of ro-complete and the fact r < tq, we 
know that either pciPoiti, ■ ■ ■ ,tn,T)) = "tt or pcipoiti, . . . ,tn,T)) = ff. In the former case, 
C \= po{ti, . . . ,tn, t), while in the latter case, C \= po(ti, . . . ,tn, t). 

Case, c = ci A C2 and both ci and C2 are T-protected. By the i.h., for each i, either C \= Ci or 
C \= ~i. If £ ^ ci and C \= C2, then £ |= ci A C2, as required. If, on the other hand, for some i, 
C 1= Ci, then £ ^ cT V C2 , i-e., C |= c. 

Case, c = 3x.c and c is T-protected. By the i.h., for every t, either C \= c[t/x] or C \= c[t/x]. If 
there is a t such that C \= c[t/x], then also C \= 3x.c. If, on the other hand, for every t, C \= c[t/x], 
then also, C \= Mx.c, i.e., C \= 3x.c. 

Proof of (2). 

Case. If = Vx.(c D ip') where c is T-protected and (p' is T-protected. If for any t, jC \= c[t/x] and 
C \= ip'[t/x], then, by definition, C j= 3x.{c A 93'), i.e., C \= Tp and we are done. Hence, we need 
only consider the case where for every t, either C ^ c[t/x] or C ^ ip'[t/x]. However, by (1) and the 
i.h., we also deduce in this case that for every t, either C \= c[t/x] or C \= p'lt/x]. By definition of 
\=, C \= if in this case. 

Case. Vr.((in(T, r', Ti) A c) D ip') where c is T-protected, ti G T, and ip' is (T U {T})-protected. 
We consider two exhaustive subcases: 
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Subcase. There is a ground r" such that L \= in(T", r', ti), L \= c[t" /t] and C \= (p'[t" /t]. By 
definition of ^, £ ^ 3r.((in(r", r', ri) A c) A ^p'), i.e., C |= 

Subcase. For every ground r", either £ ^ in(T", r', ri), or £ ^ c[r"/r], or £ ^ (/?'[r"/r]. In this 
case we show that £ ^ 93. Following the definition of \=, pick any r". It suffices to prove that either 
C \= in(T", r', Ti) or £ 1= c[r"/T] or £ ^ ip'[T" /t]. From the subcase assumption, £ ^ in(r", r', ti), 
or £ ^ c[r"/r], or £ ^ (/7'[r"/r]. If £ ^ in(r", r', ti), then because in(T",r',ri) is T-protected 
(note that ri G T), (1) implies that £ \= in(r", r', ti). The case £ ^ c[r"/T] is similar. That 
leaves only the last case: £ ^ 99'[T"/r]. Since is (T U {T})-protected, (/?'[r"/T] is (T U {r"})- 
protected. Further, because we already considered the case £ ^ in(r", r', n), we may assume here 
that £ 1= in(r", r', Ti), which implies r" < ri < tq. Thus, we can apply the i.h. to ip'[t" /t] to 
deduce that either £ |= y3'[r"/r] or £ ^ ip'[T" /t]. The latter is assumed to be false, so we must 
have £ \= ip'[T" /t\^ as required. □ 

Lemma C.8 (Reduction of protected formulas). Let T , tq he ground. Suppose ^ is T-protected, 
h (f, £ is To-complete, and for all t £ T, t < tq. Then, reduce(£, ip) — >* ip, where ■0 = T or ■0 = _L 
and C \= ip iff C \= ijj . 

Proof. By induction on the derivation of f being T-protected. The proof is very similar to that of 
Theorem C.4 and we show here only some representative cases of the induction. 

Case, ip = po{ti, . . . ,tn,T) where t £ T. Because £ is ro-complete and r < tq, we know 
that pc{po{ii-, ■ ■ ■ lin^T)) £ tt,ff. Accordingly, recluce(£, (^) G {T,_L}, so we can choose = 
reduce(£,(^) to satisfy the theorem's requirements. 

Case, ip = Vx.(c D ip') where c and ip' are both T-protected. Then, reduce(£, 99) is calculated as 
follows. 

reduce(£, (/?) = let 

{fji, . . . ,(Tn} ^ sat(£,c) 
{U ^ cTj{m=i 

S {tl, . . . , tn} 

{0j ^ reduce(£,93'[tV^])}r=i 
V''^Vf.((cAx0 5) 
return 

01 A ... A 0„ A 0' 

By inversion on the given derivation of h <p>, we know that there is a xo such that (1) {} h c : xOi 
(2) X C (3) fv(c) C X, and (4) xo l~ V''- By Lemma B.7 on (1), xo ^ fv(c). From this, (2), 
and (3), it follows that x = fv(c) = xo- Call this fact (A). Note also that by Theorem B.6, 
dom(cjj) 5 Xo = ^- Call this fact (B). 

Next, we show that £ |= -0'. Following the definition of \=, it suffices to prove that for all t, 
£ 1= c[t/x\ A t ^ S, i.e., either £ \= c[t/x] or t G 5. Suppose t ^ S. Then, we show that £ |= c[t/x]. 
Because c is T-protected, Lemma C.7(l) applies, so the last fact is implied by £ ^ c[t/x\. So we 
prove this instead. Suppose, for the sake of contradiction, that C \= c[t/x]. Then, by Theorem B.3, 
there is a a G sat(£, c) such that [x t\ > a. a G sat(£,c) forces a = ai for some i and, by 
fact (B), t = ti. Hence, t = ti G S, a contradiction. Hence, we must have £ |= ^p' . Call this fact (C). 
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By Lemma B.8 on (4), we derive xo\^ l~ Using fact (A), we have h (p'[t/x]. We already 

know that (p' is T-protected and, hence, ip'[t/x] is also T-protected. Applying the i.h. to the last 
two facts, and ipi ^ reduce{C,(p'[ti/x]), we know that there is a V'i £ {T,-L} such that ^pi — )■* ip'^ 
and C \= ip'[ti/x\ iff C |= V'.-- Note that by Theorem B.5, this also implies C \= ^pi iS C \= Call 
this fact (D). We consider two subcases: 

Subcase. For every i, = T. Clearly, we have reduce(£,y?) = (■0i A ... A Vn A V') ^* T 
(note: tp' — t- T). We must show that C \= (p. We have by fact (D) that £. \= tpi for each i and by 
fact (C) that C \= -0'. Consequently, C \= {ijji A . . . A V'n A ip') and, hence, by Theorem B.5, C \= ip. 

Subcase. There is a i such that ip'i = -L- Clearly, we have reduce(>C, ip) = {. . . A ipi A . . .) — _L. 
We must show that C ^ ip. Note that by fact (D), C ^ ipi. Consequently, by definition of \=, 
C ^ reduce{C,ip) and, hence, by Theorem B.5, ip, as required. 

Case, ip = Vx.((in(x, r', r) A c) D ip') where c is T-protected, t gT, and ip' is (TU {x})-protected. 
Then, reduce(>C, y?) is calculated as follows. 

reduce{C,ip) = let 

{ai, . . . ,cr„} ^ sat(£, (in(x, r',r) A c)) 

{Ti ^ (Ti(x)}^^i 

S ^ {ri, . . . ,T„} 
{V'i ^ reduce{C,ip'[Ti/x])}'^^^ 
Ip' ^ Vx.((in(x, t',t) A c A X ^ S) D if') 
return 

i>l A . . . Aipn A^p' 

By inversion on the given derivation of h ip, we know that there is a xo such that (1) {} h 
in(x, r',T) A c : xOi (2) {x} C ;yoi (3) f v(in(3;, r', r) A c) C {x}, and (4) xo l~ f/^'- By Lemma B.7 
on (1), Xo ^ f v(in(2;, r', r) A c). From this, (2), and (3), it follows that {x} = f v(in(x, r', r) A 
c) = Xo- Call this fact (A). Note also that by Theorem B.6, dom(ai) D xo = {x}- Call this fact (B). 

Next, we show that C \= ip' . Following the definition of |=, it suffices to prove that for all t, 
C \= in(t, t' , t) a c[t/x\ At ^ S, i.e., either C \= in(t, r', r) A c[t/x\ or t £ S. Suppose t ^ S. Then, 
we show that C \= in(t, r',T) A c[t/x]. Because in(t, r',r) A c[t/x] is T-protected, Lemma C.7(l) 
applies, so the last fact is implied by £ ^ in(t, r',r) A c[t/x]. So we prove this instead. Suppose, 
for the sake of contradiction, that C \= in(t, r',T) A c[t/x]. Then, by Theorem B.3, there is a 
a € sat(£, in(a;, r', r) A c) such that [x t] > a. a € sat(£, in(x, r', r) A c) forces a = ai for 
some i and, by fact (B), t = Ti. Hence, t = Ti £ S, a contradiction. Hence, we must have C \= tp' . 
Call this fact (C). 

By Lemma B.8 on (4), we derive Xo\{x} ^ ^'[ti/x]. Using fact (A), we have h ip'[Ti/x]. We 
already know that ip' is (T U {2;})-protected and, hence, ip'[Ti/x] is (T U {rj})-protected. Note 
also that Ti < t < tq. Applying the i.h. to the last three facts, and ipi reduce{C,ip'[Ti/x]), we 
know that there is a ip'^ G {T,X} such that ipi — ■0^ and C \= ip'[Ti/x] iff £ ^ ip'^. Note that by 
Theorem B.5, this also implies C \= ipi iS C \= ip'i- Call this fact (D). We consider two subcases: 

Subcase. For every i, 0' = T. Clearly, we have reduce(£,(^) = (■01 A . . . A ipn A ip') —>* T 
(note: ip' — )■ T). We must show that C\= ip. We have by fact (D) that C \= ipi for each i and by 
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fact (C) that L |= -0'. Consequently, L |= (-01 l\ ■ ■ ■ /\ ipn ^ i^') and, hence, by Theorem B.5, C\= if. 

Subcase. There is a i such that ■0^ = _L. Clearly, we have reduce(>C, Lp) = {. . . /\ ipi /\ . . .) — >* _L. 
We must show that C (p. Note that by fact (D), £ ^ Consequently, by definition of \=, 
C ^ reduce(>C, v?) and, hence, by Theorem B.5, £ ^ as required. □ 

Lemma C.9 (Duality of protection), (p is T -protected iff'^p is T -protected. 

Proof. By a straightforward induction on ip. □ 

Lemma C.IO (Past translation). The following hold: 

1. If c is a restriction in the temporal logic, then for any t ^T, [cY is T-protected. 

2. If ap is a temporal logic formula without future operators, then for any t ^ T , {otpY is 
T-protected. 

Proof. (1) follows by a straightforward induction on c. Then, (2) follows by induction on ap. The 
case Qp = psiti, . . . ,tn) does not arise because we assume that there are no subjective predicates. 
Similarly, the cases ap = G/S and ctp = /3i U (^2 do not arise because ap does not contain future 
operators. We show some other representative cases below. 

Case. Op = po{ti, ■ ■ ■ ,tn). Then, {opY = po{ti, . . . ,tn, t), which is T-protected because r € T is 
given. 



Case. Op = -lOp. Then, (apY = (a'pY- By the i.h., {a'pY is T-protected. Hence, by Lemma C.9, 
{a'pY is also T-protected. 

Case, ap = Vx.(c D /5p). Then, {apY = \/x.{{cY D [fipY)- statement (1) of the theorem, {cY 
is T-protected, and by the i.h., {fipY is T-protected. Hence, {apY is T-protected by clause (6) of 
Defn C.6. 

Case, ap = ix.Pp. Then, [apY = if^pl'^ / x\Y ■ By the i.h. on the smaller formula /3p[r/rE], we get 
that {I3p[t/x\Y is T-protected. 

Case, ap = PiSp2- Then, {apY = 3r'.(in(r', 0, r) A (/^s)"' A (Vr".((in(T", r', r) At' / t") D 
{l3iY"))). First, by the i.h., (^i)^" is (TU {r"})-protected. Consequently, by clause (7) of Defn C.6, 
(Vr".((in(T",r',T) At' / t") D (A)^")) is T-protected. Hence, it is also (T U {T'})-protected. 
Call this fact (A). Next, by the i.h., {/32Y is (TU {T'})-protected. Combining this and fact (A), we 
have that (/^a)^' A (VT".((in(T", t', t) At' / t") D {PiY")) is (T U {T'})-protected. By clause (9) 
of Defn C.6, {apY is T-protected, as required. 

Case, ap = B^p- Then, {apY = VT'.(in(T', t, oo) D WpY')- By the i.h., {/3pY' is (T U {t'})- 
protected. Hence, by clause (7) of Defn C.6, {apY is T-protected. □ 

Lemma C.ll (Reduction of past formulas). Let ap be a temporal logic formula without future 
operators, and suppose that t is a ground time point such that h {apY ■ Let C he TQ-complete and 
To > T. Then, either (1) reduce(£, [upY) — T and C |= {apY , or (2) reduce(i2, {apY) — -L and 
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Proof. By Lemma C.10(2), {apY is {rj-protected. Because r < tq and h {ctpY , by Lemma C.8, 
reduce(>C, (apY) ip, where ^JJ = T ov ip = 1. and C \= {opY iS C \= tp. Call the latter fact (A). 
We consider two cases: 

Case. ^lJ = T. In this case, fact (A) means that C \= {apY £. [= T, which implies that C \= {oipY ■ 
So (1) holds. 

Case. ^ = ±. In this case, fact (A) yields that C ^ (op)^- Since {opY is {r}-protected (already 
proved) and r < tq. Lemma C.7(2) yields C \= (upY- So (2) holds. □ 

Theorem C.12 (Enforcement of safety properties; Theorem 5.4). Suppose Gap is a safety prop- 
erty, h Gop, C is Tq- complete, and for all t, (p£(in(T, 0, oo)) = tt) =^ r < tq. Then, 
reduce(>C, G Op) ± iff there is a t such that C \= in(r, 0, tq) and C \= {opY ■ 

Proof. We have Gap = Vr.(in(r, 0, oo) D (apY)- Let reduce(£, G Op) = ip. Then, 

ip = reduce(£, Vr.(in(r, 0, oo) D {apY)) = let 

{cji, . . . ,f7„} ^ sat(£, in(r, 0,00)) 
{T,^a,(r)}f^i 

S ^ {Ti,...,Tn} 

{ipi ^ reduce(/:, {apY')}f=i 
ip' ^ Vr.((in(T, 0, 00) A r ^ S) D (a^)^) 
return 

V'l A . . . A ^„ A V' 

By inversion on h G a^, we obtain a xo such that h iii(T, 0, 00) : xo and xo l~ (o^p)^- The first 
of these forces xo = {t}, so from the second one we have that r h {oipY ■ Using Lemma B.8(2), we 
get h {oipY^- Call this fact (A). Next, observe that by Theorem B.3, for each r^, C \= iii(ri, 0, 00), 
i.e., /3£(in(Ti, 0, 00)) = tt. This forces Tj < tq from the assumptions of the theorem we are trying 
to prove. Call this fact (B). We now prove the two directions of the conclusion of the theorem. 



Direction "if". Suppose there is a r with C |= in(r, 0,ro) and C \= {oipY ■ We prove that 
ip ±. By Theorem B.3 applied to C\= in(T, 0, tq), t = Tt for some i. Hence by Lemma C.ll, 
using facts (A) and (B) and C \= {opY, we have that reduce(>C, {ctpY') -L, i-e., ipi — -L. Clearly, 
tp = {. . . A ipi A . . .) — _L, as required. 

Direction "only if". Suppose that reduce(/^, G Op) — )■* _L, i.e., ip _L. We show that there is 
a T such that in(r, 0,ro) and C \= {opY- By definition of — >, we obtain that either for some i, 
tpi — )•* _L or ip' — >* _L. The latter is impossible because ip' has a top-level V, which can only be 
rewritten to T. Hence, there is an i such that ipi — >•* _L, i.e., reduce(£, {otpY^) — >* -L- Choose r = r^. 
By Lemma C.ll, using facts (A) and (B) and reduce(£, (op)^') — >* -L, we obtain that C \= {apY"-- 
The remaining requirement, C \= in(Tj,0,ro) follows from fact (B). □ 

Theorem C.13 (Enforcement of co-safety properties; Theorem 5.5). Suppose F ap is a co-safety 
property, h F Op, C is TQ-complete, and for all t, (/3£(in(T, 0, 00)) = tt) =^ r < tq. Then, 
reduce(>C, F Op) T if and only if there is a t .such that L \= in(r, 0, tq) and C \= {otpY ■ 

Proof. Similar to that of Theorem C.12. □ 
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D HIPAA Case study 



This appendix lists the number of subjective and objective atoms in each transmission-related 
clause in the HIPAA Privacy Rule. #S denotes the number of subjective atoms; #0' denotes the 
number of such subjective atoms that can be mechanized by a small amount of design effort; and 
#0 denotes the number of objective atoms. The table is sorted by the last column (#0' + #0) 
/ (#S + #0). 



Clause No. 


#S 


#0' 


#0 


(#0' + #0) / (#S + #0) 


164.502(e)(l)(ii)(B) 








5 


1.00 


164.502(a)(l)(i) 


1 


1 


3 


1.00 


164.502(a)(l)(iv) 


37 


37 


4 


1.00 


164.502(d)(1) 


2 


2 


2 


1.00 


164.502(e)(l)(i) 


1 


1 


2 


1.00 


164.508(a)(2) 


37 


37 


4 


1.00 


164.508(a)(3)(i) 


38 


38 


4 


1.00 


164.508(a)(3)(i)(A) 


2 


2 


3 


1.00 


164.510(a)(l)(ii) 


2 


2 


3 


1.00 


164.510(a)(2) 


2 


2 


2 


1.00 


164.512(c)(2) 


1 


1 





1.00 


164.512(e)(l)(i) 


3 


3 


4 


1.00 


164.512(e)(l)(ii) 


9 


9 


4 


1.00 


164.512(e)(l)(vi) 


4 


4 


2 


1.00 


164.512(f)(2) 


10 


10 


3 


1.00 


164.512(f)(3)(i) 


6 


6 


4 


1.00 


164.514(e)(1) 


25 


25 


1 


1.00 


164.512(j)(3) 


11 


10 


1 


0.92 


164.524(b)(2)(i) 


54 


43 


41 


0.88 


164.524(b)(2)(ii) 


53 


42 


42 


0.88 


164.512(g)(1) 


4 


3 


4 


0.88 


164.510(b)(l)(i) 


2 


1 


5 


0.86 


164.502(e)(l)(ii)(C) 


3 


2 


3 


0.83 


164.506(c)(5) 


8 


6 


4 


0.83 


164.512(b)(l)(v) 


5 


3 


7 


0.83 


164.512(k)(l)(iii) 


3 


2 


3 


0.83 


164.514(f)(1) 


3 


2 


3 


0.83 


164.502(g)(3)(ii)(A) 


2 


1 


4 


0.83 


164.502(g)(3)(ii)(B) 


2 


1 


4 


0.83 


164.502(j)(2) 


2 


1 


4 


0.83 


164.512(b)(l)(ii) 


3 


2 


3 


0.83 


164.512(f)(5) 


4 


3 


2 


0.83 


164.512(k)(l)(i) 


2 


1 


4 


0.83 


164.512(k)(l)(iv) 


2 


1 


4 


0.83 


164.512(k)(6)(i) 


3 


2 


3 


0.83 


164.512(k)(6)(ii) 


7 


5 


4 


0.82 


164.512(i)(l) 


20 


15 


6 


0.81 
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164.506(c)(3) 


2 


1 


3 


0.80 


164.512(b)(l)(iii) 


3 


2 


2 


0.80 


164.512(h) 


2 


1 


3 


0.80 


164.512(k)(l)(ii) 


4 


3 


1 


0.80 


164.512(s;)(2) 


4 


2 


5 


0.78 


164.512(d)(1) 


6 


4 


3 


0.78 


164.502(a)(2)(ii) 


2 


1 


2 


0.75 


164.506(c)(2) 


2 


1 


2 


0.75 


164.510(b)(l)(ii) 


4 


2 


4 


0.75 


164.512(b)(l)(iv) 


3 


2 


1 


0.75 


164.510(b)(2) 


5 


3 


3 


0.75 


164.512(f)(l)(i) 


17 


10 


10 


0.74 


164.506(c)(4) 


6 


3 


4 


0.70 


164.502(e)(l)(ii)(A) 


1 





2 


0.67 


164.506(b)(1) 


1 





2 


0.67 


164.506(c)(1) 


4 


2 


2 


0.67 


164.512(f)(6)(i) 


4 


2 


2 


0.67 


164.502(b)(1) 


2 


1 


1 


0.67 


164.502('i)(l) 


5 


1 


7 


0.67 


164.512(a)(1) 


2 


1 


1 


0.67 


164.512(f)(l)(ii) 


7 


4 


2 


0.67 


164.512(f)(4) 


3 


1 


3 


0.67 


164.512(i)(l)(ii)(A) 


18 


11 


3 


0.67 


164.512(1) 


2 


1 


1 


0.67 


164.512(k)(4) 


4 


1 


3 


0.57 


164.512(k)(3) 


5 


2 


2 


0.57 


164.512(b)(l)(i) 


6 


1 


5 


0.55 


164.502(b)(2)(i) 


1 





1 


0.50 


164.508(a) (2) (i)(B) 


1 





1 


0.50 


164.508(a)(2)(i)(C) 


1 





1 


0.50 


164.508(a)(3)(i)(B) 


1 





1 


0.50 


164.510(a)(3)(ii) 


3 


1 


1 


0.50 


164.512n)fl)(ii)(B) 


4 


1 


2 


0.50 


164.512(k)(5)(i) 


8 


2 


3 


0.45 


164.512(k)(2) 


4 


1 


1 


0.40 


164.510(b)(4) 


12 


3 


2 


0.36 


164.512(c)(1) 


10 


1 


4 


0.36 


164.512(f)(3)(ii) 


9 


1 


3 


0.33 


164.512(i)(l)(i) 


5 


1 


1 


0.33 


164.514(g) 


9 


1 


2 


0.27 


164.510(b)(3) 


4 


1 





0.25 


164.502(a)(l)(iii) 


1 








0.00 


164.510(a)(3)(i) 


4 








0.00 


164.512(c)(2)(i) 


1 








0.00 


164.512(f)(6)(ii) 


1 








0.00 



164.512(j)(2)(i) 


1 








0.00 


164.512(j)(2)(ii) 


1 








0.00 


Total 


578 


402 


303 


0.80 


Clause No. 


#S 


#S' 


#0 


(#S' + #0) / (#S + #0) 



51 



